Discovery Through Automation
A security startup called depthfirst has deployed an autonomous AI agent that successfully uncovered 21 zero-day vulnerabilities within the FFmpeg multimedia framework. The agent scanned approximately 1.5 million lines of C code in the project, generating a working proof of concept for each finding. According to the company, the entire operation cost around $1,000. Many of the flaws had remained undetected for more than 15 years, with one stack overflow bug in the service description table code dating back to 2003, lying dormant for 23 years. The majority of the issues involve heap or stack overflows within parsers and demuxers, affecting components ranging from the TS demuxer to the VP9 decoder.
Impact and Industry Shift
These discoveries highlight how artificial intelligence is accelerating the pace of vulnerability discovery. The flaws reside in FFmpeg, a library embedded in countless applications that process video, making the potential attack surface extremely broad. Separately, Google released Chrome 149 with patches for 429 security bugs, a record number for a single browser update. Over 100 of those are rated critical or high severity, primarily use after free errors and insufficient input validation. The most severe vulnerability involves an out of bounds read and write in the ANGLE graphics engine that could allow a crafted web page to escape the browser sandbox. Google overhauled its bug bounty program in April to handle the growing volume of AI generated security reports, signaling a fundamental change in how vulnerabilities are discovered and managed across the industry.
Source: The Hacker News
