AI Agent Finds 21 Zero-Days in FFmpeg for $1,000 as Chrome Ships Record 429 Patches

An autonomous AI security agent has discovered 21 previously unknown vulnerabilities in FFmpeg for approximately $1,000, marking a inflection point in vulnerability discovery economics. The same week, Google shipped Chrome 149 with patches for 429 security bugs—the most ever in a single release—as the company scrambles to adapt its bounty program to handle a flood of AI-generated submissions. The pressure is identical from both directions: AI is accelerating vulnerability discovery faster than remediation pipelines can absorb.

FFmpeg: 21 Zero-Days from 1.5 Million Lines of Code

Security startup depthfirst ran its autonomous agent against FFmpeg's roughly 1.5 million lines of C code and produced 21 confirmed zero-day vulnerabilities, each with a reproducible proof-of-concept. The scan cost around $1,000. Several bugs had been dormant for 15 to 20 years. One stack overflow in the service-description-table code dates to 2003 and sat untouched for 23 years. Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder.

Nine vulnerabilities have already received CVE identifiers: CVE-2026-39210 through CVE-2026-39218. The remainder are fixed in upstream builds but not yet numbered. depthfirst published proof-of-concept code alongside its disclosure. FFmpeg is embedded in an enormous surface: media pipelines, Python wheels, container images, appliances, and thousands of downstream products. This is not a single-package update problem.

Chrome 149: 429 Patches, One Release

Chrome 149 fixes 429 vulnerabilities, shattering the previous single-release record. Over 100 are rated critical or high severity, dominated by use-after-free bugs and insufficient input validation. The most severe, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write in the ANGLE graphics engine that allows a crafted web page to escape the sandbox and execute code on the host system. Google paid the researcher $97,000 for that bug.

The distribution of findings is revealing. Of roughly 90 high-severity bugs, only 10 came from outside researchers. Nineteen of the 22 critical vulnerabilities were internal Google discoveries. The AI connection is about volume, not authorship. Google has not publicly attributed the 429-bug count to AI, but the signal is clear: the company overhauled its bounty program in April in response to a flood of AI-generated submissions. The new rules ask for concise reproducers instead of the verbose writeups AI models tend to generate.

The AI Vulnerability Discovery Pattern

This is not an isolated event. Google's own Big Sleep agent reported a series of FFmpeg bugs last year, now tagged BIGSLEEP on the project's security page. Anthropic's Mythos model found a 16-year-old H.264 flaw and other FFmpeg vulnerabilities for about $10,000; three of those shipped in FFmpeg 8.1. Days before the depthfirst disclosure, another autonomous tool identified an authenticated remote code execution bug in Redis that had been present since version 7.2.0—unnoticed for over two years.

Research supports the operational reality. A February study demonstrated that an AI agent could reproduce working proof-of-concept exploits for more than half of 100 real Linux kernel N-day bugs, outperforming traditional fuzzing. The cost of finding vulnerabilities has collapsed. The cost of triaging reports, shipping fixes, and deploying patches has not. That asymmetry is the new operational problem.

Immediate Actions

For FFmpeg, pull the fixed upstream build or your distribution's security update as soon as it ships. Do not stop at system packages. FFmpeg is embedded in Python wheels, container base images, vendor appliances, and custom builds. Audit your entire stack. Prioritize any component that ingests untrusted RTSP streams or AV1-over-RTP. These are network-facing parsers processing attacker-controlled input.

For Chrome, update to version 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS. Verify that auto-update has run. CVE-2026-10881 is a sandbox escape with a 9.6 CVSS score. Any delay leaves endpoints vulnerable to drive-by compromise via malicious web pages.

Operational Implications

The response model must change to match the new pace. Shorter patch cycles, auto-update enforcement wherever it exists, and dependency bumps that carry CVE fixes must be treated as security work, not routine maintenance. The hard part is the shift itself. AI has industrialized vulnerability discovery. Remediation still depends on a thin layer of human triagers, maintainers, and operators—many of them volunteers—now expected to keep pace with machines.

Two data points landed within days: 21 FFmpeg zero-days for $1,000 and Chrome's 429-bug release. Both point to the same pressure. The flood is here. Organizational response cadence, not detection capability, is now the limiting factor in exposure time. Adjust patch SLAs, automate dependency updates, and inventory every embedded library. The next $1,000 scan is already running.