Depthfirst

vulnerabilities 2026-06-08
An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — and Your Container Images Are in Scope
depthfirst's autonomous agent found 21 zero-days in FFmpeg for about $1,000, including a 23-year-old stack overflow. Nine carry CVEs (CVE-2026-39210 through CVE-2026-39218). FFmpeg is bundled everywhere — patch upstream and your embedded copies.
ffmpeg cve-2026-39210 ai-security zero-day memory-safety supply-chain depthfirst vulnerability-research

An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — and Your Container Images Are in Scope