21 zero-day vulnerabilities in FFmpeg, unearthed by an autonomous security agent for roughly $1,000—one-tenth the cost of Anthropic's Mythos model scan, and with concrete, reproducible PoC inputs. Several of those bugs had been sitting latent in the codebase for 15 to 23 years.
Why FFmpeg Is the Ultimate Security Target
FFmpeg processes media everywhere: browsers, streaming platforms, infrastructure. It's roughly 1.5 million lines of heavily optimized C, parsing hundreds of complex media formats from untrusted sources. Two decades of relentless fuzzing and manual audits have hardened it, but that only makes new finds more impressive. Google's Big Sleep team disclosed 13 vulnerabilities; Anthropic's Mythos model found some. depthfirst wanted to know not just whether they could replicate those results, but whether they could find bugs Big Sleep and Mythos completely missed.
Building a Security Agent That Works
A coding agent and a security agent share the same underlying models but operate with fundamentally different objectives. A coding agent writes code; a security agent finds real, exploitable flaws without specific instructions. depthfirst's agent starts by threat modeling the codebase: understanding architecture, identifying exposed parsers and protocol handlers, mapping where attacker-controlled input enters. It then audits the attack surface, follows data flow through components, and—critically—validates every finding by generating a reproducible concrete input that triggers the vulnerability. No theoretical reports, no false positives. The whole scan cost about $1k, versus Anthropic's reported $10k for Mythos.
The 21 Bugs: From 2003 Regressions to 2025 Refactors
Eight of the findings already have CVEs assigned. CVE-2026-39210: a heap buffer overflow in the TS demuxer introduced in 2010, lacking length bounds checks. CVE-2026-39211: an integer overflow from a swscale refactor in 2010 with no upper bounds on a size factor formula. CVE-2026-39212: a stack overflow from a July 2025 regression in ffmpeg_opt.c, where recursive option parsing lacked a depth limit. CVE-2026-39213: a heap overflow in the yuv4mpegenc rawvideo input path from 2023. CVE-2026-39214: a stack buffer overflow in the SDT implementation from 2003—this one sat latent for 23 years. CVE-2026-39215: a heap overflow in update_mb_info() from 2012. CVE-2026-39216: a heap overflow in img2enc.c from 2012. CVE-2026-39217: a heap overflow in the VP9 decoder from a March 2025 refactor. CVE-2026-39218: a heap overflow in the DASH demuxer from 2017 that failed to reject negative duration values. Beyond those, 13 more zero-days across components from the TS demuxer to the VP9 decoder are fixed but not yet assigned CVEs.
The agent also produced a PoC demonstrating a remote code execution exploit primitive. depthfirst's approach confirms that autonomous security agents, built with the right guardrails, can find critical bugs even in the most heavily audited codebases—and do it cheaply enough that continuous deep scans become practical.
Source: Twenty One Zero-Days in FFmpeg
Domain: depthfirst.com
Comments load interactively on the live page.