In a remarkable demonstration of AI's capabilities, an autonomous security agent identified 21 previously undisclosed vulnerabilities in FFmpeg, a widely used media library. This announcement coincides with Google’s release of Chrome 149, which includes patches for a staggering 429 security flaws, marking the highest number ever addressed in a single update.
The vulnerabilities uncovered in FFmpeg were reported by depthfirst, a security startup that deployed its AI agent to scan the library's vast codebase of approximately 1.5 million lines of C. The agent found 21 confirmed zero-days, each backed by reproducible proof-of-concept inputs, all at an estimated cost of around $1,000. Notably, some of these vulnerabilities had been dormant for as long as 15 to 20 years, with one stack overflow dating back to 2003.
The issues found mainly involve heap and stack overflows within various components, including the TS demuxer and VP9 decoder. depthfirst's analysis indicates that several of these bugs already have CVE identifiers, ranging from CVE-2026-39210 to CVE-2026-39218, while others have been addressed but remain unnumbered.
In comparison, Google’s Chrome 149 update is significant due to the record number of vulnerabilities patched. Among the 429 issues, over 100 are classified as critical or high severity, primarily revolving around use-after-free and inadequate input validation vulnerabilities. The most severe of these, CVE-2026-10881, has a CVSS score of 9.6 and pertains to an out-of-bounds read and write in the ANGLE graphics engine, which could allow malicious pages to escape their sandbox and execute code on the host system. Google rewarded the discovery of this vulnerability with a $97,000 bounty.
While the role of AI in uncovering vulnerabilities in FFmpeg is evident, Google has not directly linked the extensive list of patched vulnerabilities in Chrome to AI contributions. The company’s recent overhaul of its bounty program, initiated in April, was designed to manage a surge of AI-generated reports, emphasizing the need for concise reproducer submissions instead of the lengthy writeups typically produced by AI tools.
This dual occurrence highlights a broader trend: the growing influence of AI in cybersecurity. As AI tools evolve, they are identifying vulnerabilities at a faster rate and prompting changes in how organizations manage security disclosures. The implications of these developments could reshape the future of vulnerability management, potentially encouraging a more proactive approach to cybersecurity.
With the pressing need for effective security measures amid rising digital threats, AI's role in detecting vulnerabilities may become even more critical. As autonomous systems continue to improve, their contributions to identifying and mitigating security risks will likely increase, requiring ongoing adaptations from organizations responsible for safeguarding digital environments.
The stories that move AI & crypto markets — before the market reacts.
Free. 7am ET. Five stories. 62,400 readers.
