An AI agent reportedly found 21 FFmpeg zero-days for $1,000
The post says a security startup called depthfirst used an AI agent to inspect FFmpeg’s roughly 1.5 million lines of C code. It says the agent found 21 confirmed zero-day vulnerabilities, including one RCE that can be reached over a network with a single 183-byte RTP packet. The post claims the cloud computing cost was about $1,000, compared with a possible $200,000 to $500,000 human audit. It also says nine CVE IDs have been assigned so far.
Key points
- The post says the AI agent reviewed about 1.5 million lines of FFmpeg C code.
- It reports 21 confirmed zero-day vulnerabilities.
- One reported issue is described as a network-reachable RCE using one 183-byte RTP packet.
- The claimed cloud cost is about $1,000.
- The post says automated bug finding is ahead of automated patch work.
Quick term guide
- AI agent
- An AI program that can inspect information and suggest what to do next.
- vulnerabilities
- Weaknesses in a computer system that hackers can exploit.
- tracking
- Collecting records of what a user does inside an app.
- benchmark
- A test used to compare speed, quality, or cost.
- codebase
- The full set of files and code that make an app or product work.
- Headline
- The main title or catchy phrase used to grab people's attention.
- automated
- When a task is done by a machine or computer instead of a person.
- automate
- To make a tool or program do a repeated task for you.