San Francisco: Artificial intelligence is rapidly transforming cybersecurity research, with a new autonomous AI security agent uncovering 21 previously unknown vulnerabilities in FFmpeg while Google simultaneously released a record-breaking Chrome update containing fixes for 429 security flaws.
Security startup depthfirst revealed that its autonomous AI agent identified 21 confirmed zero-day vulnerabilities within FFmpeg, one of the world’s most widely used multimedia processing libraries. The company said the AI system analyzed approximately 1.5 million lines of C code and generated reproducible proof-of-concept exploits for every flaw discovered.
According to depthfirst, the entire discovery process cost roughly $1,000 in computing resources. Several of the vulnerabilities had reportedly remained hidden for 15 to 20 years, including one stack overflow bug dating back to 2003 that went undetected for more than two decades.
Most of the newly discovered FFmpeg flaws involve heap and stack overflows affecting media parsers and demuxers, including components related to TS demuxing and VP9 video decoding. Some vulnerabilities have already received CVE identifiers, including CVE-2026-39210 through CVE-2026-39218, while additional fixes are awaiting official numbering.
In a separate development, Google released Chrome 149, patching an unprecedented 429 security vulnerabilities in a single update. More than 100 of those bugs were classified as critical or high severity, with many involving memory safety issues such as use-after-free errors and inadequate input validation.
Among the most serious vulnerabilities was CVE-2026-10881, a high-risk flaw in Chrome’s ANGLE graphics engine with a CVSS score of 9.6. Researchers said the bug could allow a malicious webpage to escape Chrome’s sandbox protections and execute code on a host system. Google reportedly awarded a $97,000 bug bounty for the discovery.
While Google has not directly attributed the record number of fixes to artificial intelligence, the company recently updated its vulnerability reward program following a surge in AI-generated security reports. The revised process prioritizes concise proof-of-concept demonstrations over lengthy AI-produced reports, helping security teams handle increasing submission volumes more efficiently.
The latest findings are part of a broader trend across the cybersecurity industry. Google’s AI-powered Big Sleep project previously identified multiple FFmpeg vulnerabilities, while Anthropic’s Mythos AI model uncovered several long-hidden flaws in the same software. Recent research has also shown AI agents successfully reproducing exploit code for a significant percentage of known Linux kernel vulnerabilities.
Security experts warn that organizations relying on FFmpeg should immediately apply available updates, particularly systems handling untrusted RTSP streams or AV1-over-RTP media content. Since FFmpeg is embedded in numerous software packages, cloud services, container images, appliances, and development frameworks, administrators are urged to verify and patch all bundled copies rather than updating only operating system packages.
The rapid rise of AI-assisted vulnerability discovery is accelerating the pace of cybersecurity. While finding software flaws has become faster and cheaper, experts note that vulnerability triage, patch development, testing, and deployment remain resource-intensive tasks that continue to depend heavily on human security teams and open-source maintainers.
About the Author
