June 12, 2026
Stream and scream
Twenty One Zero-Days in FFmpeg
AI found 21 hidden FFmpeg flaws and the comments instantly went full panic mode
TLDR: An AI security system says it found 21 long-hidden bugs in FFmpeg, a hugely popular media tool used across the web, and even showed working proof they were real. Commenters swung between panic and nitpicking, with some calling it a major wake-up call and others joking that future code may need anti-AI traps.
The big bombshell here is that depthfirst says its autonomous security system found 21 previously unknown flaws in FFmpeg, the behind-the-scenes media tool used all over the internet to handle video and audio. That alone is spicy. But the real popcorn moment is the community reaction: people were torn between "this is terrifying" and "honestly, are we even surprised?" One commenter basically said FFmpeg is brilliant, beloved, and also exactly the kind of giant old-school code monster you should never let touch untrusted files without a padded room and a security guard.
The loudest mood in the thread was alarm mixed with fatalism. One person was stunned this was even published, because the affected setups could include systems that automatically pull in outside video streams. Another pushed back a little, arguing that while the bug sounds dramatic, turning it into a full machine takeover may be harder in real life than the scariest wording suggests. In other words: cyber doom now, but with a side of nerd debate.
And then came the jokes. The funniest hot take wondered whether the next big defense will be people hiding anti-AI booby traps in their own code so security bots get confused before attackers do. That idea feels half meme, half prophecy. The overall vibe? FFmpeg’s reputation somehow got both praised as legendary and dragged as a sprawling danger zone in the exact same conversation.
Key Points
- •Depthfirst says its autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg and produced reproducible proof-of-concept inputs for validation.
- •The article states that several of the reported vulnerabilities had remained latent for 15 to 20 years.
- •FFmpeg is described as a widely deployed media-processing library and a security-critical target because it parses complex, untrusted media inputs.
- •The article cites prior AI-assisted FFmpeg research by Google’s Big Sleep team, which disclosed 13 vulnerabilities, and by Anthropic’s Mythos model, which also found issues.
- •Depthfirst describes its security agent as using threat modeling, attack-surface mapping, data-flow analysis, and execution-based validation to reduce false positives and confirm reachability.