A security firm has discovered 21 zero-day vulnerabilities in FFmpeg, one of the most widely deployed multimedia libraries in the world, powering everything from web browsers to major streaming platforms.
The findings, published by security research firm Depthfirst, used an autonomous security agent to analyze FFmpeg’s roughly 1.5 million lines of heavily optimized C code. The agent produced concrete, reproducible proof-of-concept inputs to confirm each vulnerability, at a fraction of the cost of traditional manual auditing.
Several of the zero-days had been sitting undetected in the codebase for an estimated 15 to 20 years, despite FFmpeg being one of the most heavily fuzzed and audited open-source projects on the planet. Depthfirst’s agent also demonstrated a remote code execution exploit primitive using some of the findings.
The discovery comes on the heels of similar efforts by Google’s Big Sleep team, which disclosed 13 FFmpeg vulnerabilities, and Anthropic’s Mythos model, which also found security issues in the library. Those efforts proved that advanced AI models can reason through dense, hardened C code that has resisted traditional analysis.
Depthfirst wanted to see how far they could push with publicly available models, without access to specialized tools like Mythos. The answer: pretty far. The 21 zero-days suggest that even after decades of scrutiny and recent AI-assisted audits, serious vulnerabilities remain hiding in critical open-source infrastructure.
FFmpeg’s reach makes this especially concerning. The library is embedded in virtually every major browser, streaming platform, and media processing pipeline on the internet. A critical vulnerability in FFmpeg isn’t just a bug in one project, it’s a bug in half the internet.
FFmpeg maintainers have been notified and patches are expected in upcoming releases.
