What happened
Security startup depthfirst published research on June 6 reporting that its autonomous AI security agent scanned FFmpeg's 1.5 million lines of C code and produced 21 confirmed zero-day vulnerabilities — each with a reproducible proof-of-concept — for approximately $1,000 in compute costs. Several bugs had been latent for 15–23 years. Nine have been assigned CVEs (CVE-2026-39210 through CVE-2026-39218); the remainder are fixed but not yet numbered. A proof-of-concept RCE primitive via malformed RTSP streams is publicly disclosed. The same week, Google shipped Chrome 149 with a record 429 vulnerability patches, with the volume partly attributed to AI-generated submissions flooding the bounty program.
Why it matters
The $1,000 cost for 21 zero-days in a project already scanned by both Google BigSleep and Anthropic Mythos demonstrates that AI-assisted vulnerability discovery has moved from research novelty to accessible commercial capability. The Chrome 429-patch release alongside this FFmpeg disclosure signals that bug triage and patch deployment pipelines are already struggling to keep pace with AI-generated vulnerability reports — a pattern that will intensify as more firms deploy autonomous scanning agents.
Applicability
Security and infrastructure teams should: (1) treat FFmpeg as a priority patch target given the public PoC RCE primitive; (2) evaluate autonomous scanning agents for internal use in pre-release code review; (3) assess whether existing patch SLAs and triage capacity can absorb AI-generated volume, and begin building AI-assisted triage tooling if not.