An autonomous AI security agent from depthfirst analyzed 1.5 million lines of FFmpeg’s C code for approximately $1,000 and produced 21 confirmed zero-day vulnerabilities — each accompanied by a reproducible proof-of-concept input — including one that grants remote code execution to any attacker capable of delivering a single 183-byte network packet to a vulnerable application, no credentials required.
How depthfirst’s AI Agent Found Flaws Across FFmpeg’s Core Subsystems
Depthfirst published a technical disclosure describing how its autonomous agent processed the entire FFmpeg codebase in a single pass. The analysis covered FFmpeg’s most critical components: the TS demuxer, VP9 video decoder, RTP depacketizers for AV1, JPEG, LATM, and MPEG-4 streams, the swscale image-scaling library, and the DASH, AVI, CAF, RTSP, and RTMP processing components. Nine vulnerabilities received official CVE identifiers — CVE-2026-39210 through CVE-2026-39218 — while 12 additional bugs are tracked internally as DFVULN-116 through DFVULN-127, with formal CVE assignments pending as the FFmpeg project works through coordinated triage.
The vulnerability types span the full memory-safety failure spectrum: heap buffer overflows, stack buffer overflows, integer overflow and underflow conditions, and heap buffer underflows. All 21 findings came with reproducible proof-of-concept inputs, providing the FFmpeg maintainers with the concrete evidence needed to develop and validate patches for each.
DFVULN-127: RCE via a 183-Byte Unauthenticated Packet in FFmpeg
The most critical finding is DFVULN-127, a heap buffer overflow that enables arbitrary code execution. The exploit path is direct: a single crafted 183-byte media packet delivered to any service or application running the affected FFmpeg component achieves code execution without authentication, without requiring user interaction, and without any prior access to the target system. Internet-facing services that accept external media — video uploads, live streaming ingestion points, media processing APIs — are reachable by any unauthenticated attacker who can route packets to the service, placing DFVULN-127 among the most immediately exploitable classes of memory-corruption vulnerability.
A 23-Year Stack Overflow in FFmpeg’s Service-Description-Table Parser
The oldest confirmed vulnerability in the batch is a stack overflow in FFmpeg’s service-description-table parsing code that dates to 2003 — 23 years before its discovery. Multiple additional bugs in the set had been latent for 15 to 20 years, surviving formal security audits, peer code reviews, and what the depthfirst disclosure characterizes as millions of hours of automated fuzzing. The AI agent’s systematic full-codebase analysis identified structural patterns that every prior method — human review and automated tooling alike — had consistently failed to surface.
The persistence of a 23-year-old memory safety failure across decades of community scrutiny in one of the most widely deployed open-source libraries on the internet raises a direct question about the audit coverage assumptions built into conventional security programs: if this flaw was undetectable by traditional means in FFmpeg, similar undetected patterns likely persist in codebases that receive considerably less external review.
FFmpeg’s Reach Across Browsers, Android, and Streaming Amplifies Patch Urgency
FFmpeg is the media processing engine embedded in Chrome, Firefox, VLC, Android’s media stack, most video conferencing platforms, and the server infrastructure behind a substantial share of internet video streaming services. A vulnerability in FFmpeg’s parsers or decoders propagates to every application that links against an unpatched version — an attack surface spanning desktop browsers, mobile operating systems, streaming backends, and embedded devices deployed across consumer and enterprise environments.
The depthfirst disclosure places the $1,000 analysis cost in explicit context: that figure is approximately 10% of the cost of a single Anthropic Mythos analysis run. The economics mark a structural shift in who can commission this depth of automated code analysis. AI-powered vulnerability research at the scale of a 1.5-million-line multimedia framework is no longer confined to well-resourced intelligence programs or top-tier security firms — it is accessible to any organization with a four-figure budget willing to run the agent. The constraint has moved from finding the bugs to managing the consequences: FFmpeg’s volunteer maintainer team now faces 21 simultaneous machine-generated vulnerability reports while the broader ecosystem of applications embedding FFmpeg awaits patched builds.
Patches have been deployed for all 21 confirmed vulnerabilities. CVE assignments for the 12 DFVULN-tracked entries remain pending. Organizations running FFmpeg in any internet-facing or media-ingestion context should confirm their deployed version reflects the patched builds and monitor the CVE tracker for the remaining assignments as they complete.
