An AI Agent Found 21 Zero-Days in FFmpeg for About $1,000

FFmpeg is the media library inside almost everything that touches video — CMS platforms, transcoding pipelines, chat apps, that thumbnail generator on your website. It's roughly 1.5 million lines of C, much of it written when "the cloud" meant weather.

This week, a security startup reported that its autonomous AI agent had scanned that codebase and produced 21 reproducible zero-day vulnerabilities — eight CVEs assigned so far. Some of the bugs had been sitting in the code for 15 to 23 years. Total compute cost of the run: about $1,000.

The economics just flipped

Three weeks ago we wrote about Anthropic's Project Glasswing finding 10,000+ flaws across open source. The FFmpeg result sharpens the point with a price tag: serious vulnerability research now costs about as much as a mid-range laptop and finishes over a weekend.

When finding bugs cost six figures of expert time, defenders and well-funded attackers were the only players. At $1,000 a run, everyone is a player. And the volunteer maintainers on the receiving end — FFmpeg's team has been vocal about this — were already underwater before the machines started filing reports.

What this means for your stack

You almost certainly run FFmpeg, or libraries like it, without knowing — it arrives as a dependency of a dependency. Three habits matter now more than ever:

• Know your inventory. You can't patch what you don't know you run. (Your host should know for you.)
• Patch on disclosure cadence, not convenience cadence. The gap between CVE and exploit keeps shrinking — AI is compressing both ends.
• Layer defenses so one vulnerable library is an incident, not a breach: isolation, least privilege, monitored anomalies, restorable backups.

Keeping low-level libraries patched across a fleet of servers is precisely the unglamorous work managed infrastructure exists for. Nobody ever notices it being done — which, in this line of work, is what success sounds like.