AI Agent Finds 21 FFmpeg Zero-Days as Chrome Ships 429 Security Fixes
An autonomous security agent developed by depthfirst uncovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the widely used open-source media processing library embedded in browsers, streaming services, surveillance products, and cloud workloads. Reported flaws span the TS demuxer, VP9 decoder, RTP depacketizers, RTSP server, and RTMP client, with multiple memory-corruption bugs and at least eight assigned CVEs. The most severe issue, DFVULN-127, is a heap buffer overflow in FFmpeg’s AV1 RTP depacketizer that researchers said could enable remote code execution through a single 183-byte RTP packet delivered over RTSP, without authentication or user interaction.
The FFmpeg findings were disclosed alongside Chrome 149, which fixed a record 429 vulnerabilities, including more than 100 critical or high-severity flaws and a severe ANGLE issue tracked as CVE-2026-10881 with a CVSS 9.6 score. Researchers said the FFmpeg bugs were found after an AI agent scanned roughly 1.5 million lines of C code, performed threat modeling, reachability analysis, and proof-of-concept generation, reportedly at a cost of about $1,000. The disclosures add to evidence that AI is sharply increasing the speed and volume of vulnerability discovery, while leaving defenders and maintainers under growing pressure to triage findings, patch exposed software, and review network-facing workflows that process untrusted RTSP/RTP media streams.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Google updates bug bounty processes amid AI-generated submissions
Google recently changed its bug bounty process in response to a flood of AI-generated vulnerability submissions. The change was cited alongside the surge in AI-assisted vulnerability discovery affecting vendor triage and remediation workflows.
Google releases Chrome 149 with 429 security fixes
Google released Chrome 149 with a record 429 vulnerability fixes in a single release, including more than 100 critical or high-severity issues. Coverage highlighted a severe ANGLE flaw, CVE-2026-10881, with a CVSS score of 9.6.
depthfirst reports 21 FFmpeg zero-days found by an autonomous AI agent
Security startup depthfirst reported that its autonomous agent discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, including memory corruption issues across multiple components and reproducible proof-of-concept inputs. The reporting said the agent analyzed roughly 1.5 million lines of C code and made the discoveries at an estimated cost of about $1,000.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks
cybersecuritynews.com
Open sourceAI agents discover numerous vulnerabilities in FFmpeg and Chrome | brief | SC Media
scworld.com
Open sourceAI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Patches 34 Flaws Including Multiple RCE Bugs
Google has released two Chrome Stable channel security updates that together patch **34 vulnerabilities**, including multiple flaws that could allow **remote code execution** if users are lured to malicious webpages. The first update fixed **26 issues**—including **three critical**, **22 high-severity**, and **one medium-severity** bugs—in components such as **WebGL**, **WebRTC**, **V8**, **Blink**, **Network**, **WebAudio**, **Dawn**, **PDFium**, **ANGLE**, and **Extensions**. Google said the most serious weaknesses involved memory corruption, including use-after-free, heap and stack buffer overflows, out-of-bounds access, integer overflows, type confusion, and insufficient validation of untrusted input. A follow-up update addressed **eight additional high-severity vulnerabilities** affecting **WebAudio**, **CSS**, **WebGL**, **Dawn**, **WebGPU**, **Fonts**, and **FedCM**, again dominated by memory-safety bugs that could lead to browser compromise. Google shipped versions `146.0.7680.153` and `146.0.7680.154` for Windows and macOS and `146.0.7680.153` for Linux in the first release, followed by `146.0.7680.164` and `146.0.7680.165` for Windows and macOS and `146.0.7680.164` for Linux in the second. The company said many flaws were found through **AddressSanitizer**, **MemorySanitizer**, and **libFuzzer**, paid a **$7,000** bounty for one WebAudio bug, and is withholding technical details until more users have updated to reduce the risk of exploit development.
Mar 24, 2026
Mozilla Firefox 147.0.4 Patches Critical libvpx Heap Buffer Overflow (CVE-2026-2447)
Mozilla released an out-of-band update to **Firefox 147.0.4** to fix **CVE-2026-2447**, a high-impact **heap buffer overflow** in the *libvpx* video codec library used to decode **VP8/VP9** content. The flaw could be triggered via specially crafted video/media streams delivered through web pages, potentially leading to **arbitrary code execution**, browser crashes, or broader system compromise; the issue was reported by researcher **jayjayjazz**. Mozilla also shipped corresponding fixes to supported ESR lines (**Firefox ESR 140.7.1** and **Firefox ESR 115.32.1**), reflecting the breadth of exposure across supported platforms. Canada’s Canadian Centre for Cyber Security echoed Mozilla’s guidance, urging organizations to apply the updates across **Firefox**, **Firefox ESR**, and **Thunderbird** (per Mozilla’s advisories) to remediate the affected versions. Separate reporting described a different Firefox RCE condition tied to a **SpiderMonkey WebAssembly GC** logic error (a `&` vs `|` typo) and separate Microsoft Edge items (including an advisory noting an exploitable **CVE-2026-2441** and an article focused on Edge 145 enterprise security features); those are not part of the *libvpx* **CVE-2026-2447** disclosure and should be tracked independently.
Mar 21, 2026
Google Chrome 144 Stable Update Patches High-Severity V8 and libvpx Memory-Safety Flaws
Google released a **Chrome Stable** security update for desktop that fixes two **high-severity** vulnerabilities that could enable **arbitrary code execution** or **denial-of-service** conditions. The update advances Chrome to `144.0.7559.132/.133` on Windows and macOS and `144.0.7559.132` on Linux, with a staged rollout over days to weeks; exploitation is described as typically requiring a victim to visit a specially crafted website that triggers the bug in the renderer context. The patched issues are **CVE-2026-1862**, a **type confusion** flaw in the **V8** JavaScript/WebAssembly engine (reported by researcher **Chaoyuan Peng / @ret2happy**) that can enable out-of-bounds memory access and potentially code execution, and **CVE-2026-1861**, a **heap buffer overflow** in the **libvpx** VP8/VP9 video codec library that could be triggered by crafted media content to crash the browser/system or potentially hijack control flow. Google is restricting detailed bug information and links until most users have applied the fix to reduce the risk of rapid exploit development via patch diffing.
Mar 21, 2026