In a significant development, an autonomous AI agent developed by security startup DepthFirst has identified 21 previously unknown vulnerabilities in FFmpeg, a widely used multimedia framework. These vulnerabilities, some dating back over two decades, were uncovered through an extensive analysis of FFmpeg’s approximately 1.5 million lines of C code. The AI agent produced reproducible proofs-of-concept for each flaw, with the entire process costing around $1,000.
The identified vulnerabilities primarily consist of heap and stack overflows within various parsers and demuxers, affecting components such as the TS demuxer and the VP9 decoder. Notably, one stack overflow in the service-description-table code had remained undetected since 2003. DepthFirst has assigned CVE identifiers to several of these vulnerabilities, including CVE-2026-39210 through CVE-2026-39218, and has published a proof-of-concept to demonstrate the exploits.
In related news, Google has released Chrome version 149, addressing a record-breaking 429 security vulnerabilities. Among these, over 100 are classified as critical or high severity, with the most severe being CVE-2026-10881, an out-of-bounds read and write issue in the ANGLE graphics engine that could allow a crafted webpage to escape the sandbox and execute code on the host system. Google awarded $97,000 for the discovery of this flaw.
While the majority of these high-severity vulnerabilities were identified internally by Google, the surge in reported issues is partly attributed to the increased use of AI in vulnerability detection. Google’s recent overhaul of its bug bounty program reflects this trend, as the company adapts to a growing number of AI-generated submissions.
These developments underscore the transformative impact of AI in cybersecurity. Autonomous agents are not only accelerating the discovery of vulnerabilities but also uncovering longstanding flaws that have eluded traditional detection methods. This shift necessitates a corresponding acceleration in patching and updating processes to mitigate potential risks effectively.
Source: The Hacker News
