Depthfirst says its autonomous security agent found 21 zero-days in FFmpeg, including an RCE primitive, for about $1,000. The company credits agent loops and tooling, not a bigger model. tinyurl.com/3mtm9yym

FFmpegにおける21件のゼロデイ脆弱性 depthfirst.com/research/21-z… 要約:Depthfirstの自律セキュリティエージェントがFFmpegで21件のゼロデイを発見。8件にCVEが付き、一部はRCE原語も示された。

Já era o acesso ao Claude Fable/Mythos 5? Aqui ainda está acessível. Mais noticias com áudio: Arch/AUR teve adoções maliciosas, a Depthfirst relata 21 falhas zero-day no FFmpeg, e Homebrew 6, Miasma, SLSA, Dropbox MCP, Cohere e PostgreSQL completam o dia. otaviomiranda.com.br/2026/o-…

depthfirst dropped 21 zero-days in FFmpeg (146 on HN). The CVEs aren't the story — the story is that FFmpeg is 1.4M lines of C parsing attacker-controlled binary, and your transcoding worker runs it with full IAM credentials and no seccomp. The fix isn't patching. It's treating ffmpeg as untrusted code. #Cybersecurity #devops

🚨 FFmpeg hit with 21 zero-day vulnerabilities discovered by an AI agent! DepthFirst analyzed 1.5 million lines of code and uncovered dozens of critical issues (heap/stack overflows, integer overflows). Many had been hiding for 10–23 years. 8 already assigned CVE IDs. One allows RCE via a single RTP packet over RTSP. Total cost of the research: ~$1000. Full article: depthfirst.com/research/21-z…

Depthfirst claims its AI found more critical bugs at a fraction of Mythos’s cost, including a longstanding NGINX flaw, Linux, Chrome, and FFmpeg issues that could imperil widespread web use. forbes.com/sites/thomasbrews…

La startup depthfirst ha descubierto 21 vulnerabilidades en FFmpeg, todas halladas por un agente de IA. Google, por su parte, lanzó Chrome 149, corrigiendo un récord de 429 fallos de seguridad, 100 de ellos críticos. #Ciberseguridad thehackernews.com/2026/06/ai…

🔴 THREAT ANALYSIS Six hours to find it. Five days to weaponize it. Jun 8, 2026 · 6 min read ──────────────────────────────────────── On May 13, 2026, F5 disclosed a critical heap buffer overflow in NGINX — the web server that sits in front of roughly a third of the internet. The bug, branded NGINX Rift and tracked as CVE-2026-42945, scored 9.2 on the CVSS v4.0 scale. Patches shipped the same day. Five days later, VulnCheck reported it was being exploited in the wild. That sentence is the whole story of modern cybersecurity, compressed. Not because NGINX is unusually fragile — it isn't — but because of how fast every clock in the sequence is now running. ## The timeline that should worry you Walk through the dates, because the pace is the point. • April 2026 — discovery An autonomous vulnerability-analysis system run by the research outfit depthfirst flags the flaw during a routine scan. Time to find a previously unknown bug in code that has shipped since 2007: roughly six hours. • April 24, 2026 — confirmation F5 confirms the finding and begins a coordinated disclosure process. • May 13, 2026 — disclosure patch F5 and depthfirst publish the advisory. Fixes land in NGINX 1.30.1 (stable) and 1.31.0 (mainline). The clock for every defender on earth starts now. • By May 18, 2026 — exploitation VulnCheck observes real-world attacks against unpatched servers. Five days from public advisory to active exploitation. A machine found the bug in six hours. Threat actors weaponized the fix in five days. Somewhere in the middle sits the defender, who is still expected to read the advisory, inventory their estate, schedule a maintenance window, and push a patch — on a human calendar. The discovery-to-exploitation window used to be measured in months. For NGINX Rift it was measured in days. The next one will be measured in hours. ## Why the patch is the starting gun, not the finish line There's a comfortable myth in security that a patch closes a risk. It doesn't. A patch publishes a risk. The moment a fix ships, the diff between the old code and the new code is a roadmap — it tells anyone watching exactly where the flaw lives and how to reach it. Weaponizing a disclosed-and-patched bug is far easier than finding one from scratch. So the disclosure that protects the patched also arms the attacker against the unpatched. And the unpatched population is enormous. Roughly 5.7 million internet-facing NGINX servers were running potentially vulnerable versions when Rift dropped. Patching that many systems is not a six-hour job. It is a multi-week, multi-team, change-control-approved job — and the attackers know it. This is the asymmetry that defines the era. Finding bugs is being automated. Weaponizing them is being automated. The one part still moving at human speed is the part defenders own: noticing, deciding, and responding. ## What the bug actually was — and why it barely matters For the record: NGINX Rift is a two-pass contract violation in the server's script engine. An is_args state flag set during the length-calculation pass leaks into the copy pass, so ngx_escape_uri writes past its allocated buffer when a rewrite rule combines an unnamed PCRE capture with a question mark in the replacement string. The reliable outcome is a crashed worker process — a denial of service. Remote code execution is possible only in narrower conditions, which is the small mercy here. But notice how little the mechanism matters to the strategic problem. Whether the next Rift is a heap overflow, a deserialization flaw, or an auth bypass, the shape of the event is identical: machine-speed discovery, same-day disclosure, days-to-exploitation, and a defender population that cannot move at the speed of the threa... ──────────────────────────────────────── 📰 Full analysis on The Signal: n0limit.com/blog.html#the-si… #cybersecurity #threatintel #infosec

depthfirst Raises $80M Series B #AISecurity #SecurityIntelligence #DevSecOps #SecuritySolutions #SeriesB #Funding #Depthfirst thesaasnews.com/news/depthfi…

AI Agent 自主发现 FFmpeg 21 个零日漏洞 综合分 13 | 影响力 9/10 | 信息差 4/10 - 事件：安全初创公司 depthfirst 的自主 AI Agent 扫描了 FFmpeg 约 150 万行 C 代码，发现了 21 个确认的零日漏洞，每个都附带可复现的 PoC - 成本：整个扫描仅花费 约 $1,000 - 关键细节： - 多数漏洞存在 15-20 年，其中一个栈溢出自 2003 年至今 23 年未被发现 - 已分配 CVE：CVE-2026-39210 至 CVE-2026-39218 - 漏洞类型：堆/栈溢出，涉及 TS demuxer、VP9 解码器等 - 更大背景： - Google 的 Big Sleep Agent 也曾发现 FFmpeg 漏洞 - Anthropic 的 Mythos 模型发现了一个 16 年历史的 H.264 漏洞，花费约 $10,000 - Chrome 149 一次性发布 429 个安全补丁（历史最高），Google 因"AI 生成的漏洞报告泛滥"修改了赏金计划 - 核心信号：AI Agent 发现漏洞已变得廉价，但修复和分发仍依赖人类——这是安全产业的结构性瓶颈 - 🔗 The Hacker News

$1,000 of compute found 21 zero-days in FFmpeg. An autonomous agent called depthfirst scanned roughly 1.5 million lines of C, then wrote a reproducible proof-of-concept for every bug it reported. The shift is that second half. Not a list of suspicious lines for a human to chase, but 21 crashing inputs with the memory-safety bug already triggered. Multiple findings became CVE-2026-39210 through CVE-2026-39218; the rest were fixed without numbers. They span heap and stack overflows and integer over- and underflows in the code FFmpeg points at untrusted media - a heap overflow in the MPEG-TS demuxer dating to 2010, a heap overflow in the VP9 decoder, a flaw in the DASH demuxer, and a stack overflow in a service-description-table parser whose code was written in 2003. FFmpeg sits in nearly every browser, phone, and server that touches video. One of these holes had been reachable since 2003. A $1,000 run found all 21.

02:35 UTC: CVE-2026-42945 disclosed. 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX. 🧐Credit by depthfirst: 📊 86 0day Intel: 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX.

AIがわずか約1,000ドルのコストで、20年以上見逃されていたFFmpegのゼロデイ脆弱性21件を発見した。一方、Googleは過去最多となる429件の脆弱性を修正したChrome 149を公開しており、AIによる脆弱性発見の加速がセキュリティ業界へ大きな影響を与え始めている。 セキュリティ企業depthfirstは、自律型AIエージェントを使って約150万行のFFmpegコードを解析し、21件の未知の脆弱性を発見した。中には2003年から23年間存在していたスタックオーバーフローも含まれ、CVE-2026-39210～CVE-2026-39218などが割り当てられている。 同じ週にGoogleはChrome 149を公開し、429件の脆弱性を修正した。過去最多となる修正件数で、100件以上が高または重大な深刻度だった。最も深刻なCVE-2026-10881はCVSS 9.6で、細工されたWebページからサンドボックスを突破しコード実行につながる恐れがある。 近年はGoogleのBig SleepやAnthropicのAIもFFmpegの脆弱性発見に成功しており、RedisやLinuxカーネルでもAIによる成果が報告されている。脆弱性の発見コストが急激に低下する一方で、修正や検証、運用環境への適用が新たな課題になりつつある。 thehackernews.com/2026/06/ai…

أشار تقرير تقني حديث إلى تحول مثير في مجال اكتشاف الثغرات الأمنية، بعدما تمكن وكيل ذكاء اصطناعي مستقل من العثور على 21 ثغرة من نوع يوم الصفر في مكتبة FFmpeg الشهيرة لمعالجة الفيديو. المدهش أن بعض هذه الثغرات ظلت مخفية لأكثر من عقدين، من بينها خلل يعود إلى عام 2003 وبقي دون اكتشاف طوال 23 عامًا. وأوضحت شركة depthfirst المطورة للوكيل أن الفحص شمل حوالي 1.5 مليون سطر من الشيفرة، وبتكلفة لم تتجاوز ألف دولار، وأسفر عن العثور على ثغرات مؤكدة مع نماذج استغلال قابلة للتكرار. في الوقت نفسه، أطلقت جوجل تحديث كروم 149 الذي سجل رقماً قياسي بـ429 إصلاح أمني في إصدار واحد، من بينها أكثر من مئة ثغرة عالية الخطورة، أغلبها من نوع الاستخدام بعد التحرير وضعف التحقق من المدخلات. أخطر هذه الثغرات، CVE-2026-10881، نال مكتشفها مكافأة قدرها 97 ألف دولار، وتسمح بتنفيذ تعليمات خارج حدود الذاكرة عبر محرك ANGLE. ورغم أن جوجل لم تربط هذا العدد الكبير من الثغرات مباشرة بالذكاء الاصطناعي، فإن الشركة كانت قد عدلت برنامج المكافآت في أبريل بعد تدفق تقارير مولدة آليا. كما سبق أن كشفت أدوات ذكاء اصطناعي أخرى، مثل بيق سليب وماثيوس، عن ثغرات قديمة في FFmpeg، ما يعزز الاتجاه المتسارع نحو دور أكبر للذكاء الاصطناعي في اكتشاف العيوب البرمجية. التوصيات الأمنية كانت واضحة بضرورة تحديث FFmpeg فور صدور النسخ المرقعة، خاصة على الأنظمة التي تتعامل معائط غير موثوقة، إلى جانب ترقية كروم إلى الإصدار 149.0.7827.53 أو ما يعادله. ويرى الخبراء أن التحدي الأكبر لم يعد في اكتشاف الثغرات، بل في سرعة معالجتها وإيصال الإصلاحات للمستخدمين، في ظل تزايد الضغوط على فرق الأمن البشري لمجاراة سرعة وتيرة الآلات. #تقنية #الامن_السيراني

Meet The $580 Million Startup Making AI Models To Fight Artificial Hackers forbes.com/sites/thomasbrews… (Photo: Depthfirst)

This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed Startup Depthfirst claims its AI found some major flaws in tools that help run much of the internet, all for a tenth of the cost of Anthropic’s comparable model Mythos. forbes.com/sites/thomasbrews…

yeah wow, that’s insane! 🤯 If depthfirst can spot bugs at a tenth the price, maybe we should start giving up on the big names. what do you think? 💭```

This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed Startup Depthfirst claims its AI found some major flaws in tools that help run much of the internet, all for a tenth of the cost of Anthropic’s comparable model Mythos. forbes.com/sites/thomasbrews…