Security startup depthfirst says its production autonomous security agent uncovered 21 zero-day vulnerabilities in FFmpeg, the media library buried inside browsers, phones and streaming infrastructure, and wrote a working proof-of-concept for each one.
The catch that should worry maintainers: several flaws are 15 to 20 years old, and one stack overflow now tracked as CVE-2026-39214 survived 23 years of code review. The agent chewed through roughly 1.5 million lines of C for about US$1,000, which depthfirst frames as a tenth of what Anthropic spent when its Claude Mythos model swept software for bugs earlier this year. The worst finding, a heap overflow in FFmpeg's AV1 RTP depacketizer, could enable remote code execution from a single 183-byte packet with no authentication and no user interaction.
Cheap, reproducible, agent-found zero-days change the economics of both defence and offence. The same US$1,000 run is available to whoever points it at your codebase first.