DepthFirst agent discovers 21 FFmpeg zero-days

// 2h agoSECURITY INCIDENT

DepthFirst agent discovers 21 FFmpeg zero-days

DepthFirst's autonomous security agent has discovered 21 zero-day vulnerabilities in FFmpeg, including flaws present for over a decade. The findings highlight the efficiency of agentic security testing, identifying a critical remote code execution flaw in the AV1 RTP depacketizer at a fraction of the cost of previous audits.

// ANALYSIS

While LLM-powered coding assistants typically focus on interactive generation, specialized security agents utilizing parallel hypothesis testing and execution feedback can discover critical vulnerabilities overlooked by manual audits and traditional fuzzers.

–**Agentic Efficiency**: The autonomous agent found 21 zero-days at a cost of ~$1k, compared to Anthropic's $10k Mythos scan, proving the efficiency of targeted execution validation over raw scale.
–**Deep Latency**: Several discovered bugs (e.g., DFVULN-122 in the RTP MPEG-4 depacketizer) have been present since 2003-2010, demonstrating that legacy code remains a major source of hidden risk even in heavily audited projects.
–**Practical Exploitability**: The AV1 RTP depacketizer vulnerability (DFVULN-127) offers a clean RCE primitive by allowing the attacker to poison write cursors and hijack AVBuffer.free without corrupting refcounts.

// TAGS

ffmpegzero-dayvulnerabilitiesremote-code-executionsecurity-agentdepthfirstrtp-depacketizerheap-buffer-overflow

DISCOVERED

2h ago

2026-06-13

PUBLISHED

4h ago

2026-06-12

RELEVANCE

8/ 10

AUTHOR

redbell

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

POLICY32m ago

Anthropic disputes Claude Fable 5 suspension

Anthropic has challenged the U.S. government's suspension of its newly launched Claude Fable 5 model, arguing the cited jailbreak vulnerabilities are minor and present in competing models like GPT 5.5. The company expects the model to be back online by Monday.

OPEN SOURCE50m ago

LUMEN launches WebGL2 generative shader studio

LUMEN is an open-source, browser-based WebGL2 generative shader studio by Leon Lin that renders math-perfect looping abstract art in real time. The zero-dependency tool features nine artistic modes, seed-based randomization, share codes, and direct browser export to PNG, WebM, and GIF formats.

NEWS1h ago

AI developer channel BridgeMind hosts a mock "funeral service" for Anthropic's Claude Fable 5 model to satirize its aggressive safety routing and impending transition away from free subscription access.

Developer and content creator BridgeMind (@bridgemindai) shared a post titled "Claude Fable 5 Funeral Service" to highlight developer frustrations with Anthropic's latest frontier AI model. Launched on June 9, 2026, Claude Fable 5 boasts strong agentic capabilities but has polarized users due to strict safety classifiers that automatically downgrade complex prompts to the older Claude Opus 4.8 model. The mock service also references the upcoming June 22, 2026 deadline, when Fable 5's inclusion in standard subscription plans ends and shifts to a usage-credit pricing model, leaving developers mourning the brief window of easy access.