Autonomous AI agent finds 21 FFmpeg zero-days for ~$1,000 (CVE-2026-39210–39218)

Security startup depthfirst ran an autonomous AI analysis agent over FFmpeg's ~1.5 million lines of C and produced 21 confirmed, reproducible zero-days — each with a proof-of-concept input — for an estimated compute cost of about $1,000 (depthfirst, 2026-06-02; The Hacker News, 2026-06-06). Nine carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218); twelve more are fixed but unnumbered. The classes are predominantly heap and stack overflows in parsers and demuxers — the TS (transport-stream) demuxer, VP9 decoder, and the AV1 RTP depacketizer — and several had been latent for 15–20 years, with one service-description-table stack overflow dating to 2003. The AV1-over-RTP overflow is the most operationally pointed because it is network-reachable without special flags, which matters for any service that ingests untrusted RTSP/RTP media. All bugs are fixed upstream; downstream and embedded copies vary. Why it matters to us: Two things for defenders. First, FFmpeg is embedded far beyond the obvious media players — browser stacks, Electron apps, conferencing clients (Teams/Zoom), surveillance/VMS transcoders, and Python wheels — and many ship their own non-auto-updating build, so SBOM/runtime inventory of bundled libavcodec/libavformat is the most reliable way to find exposure. Prioritise hosts that parse externally-sourced media or accept RTP/RTSP streams, and isolate media-processing services from internal networks. The open verification step for each environment is twofold: confirm whether your distribution has shipped the FFmpeg release carrying the upstream fixes (the fixes are upstream; distro packaging lag varies), and establish whether the network-reachable AV1-over-RTP path is actually exercised by any service you run (for example a WebRTC or RTP media pipeline) rather than assuming the parser is dormant. Second, the $1,000-for-21-bugs cost ratio is a signal that parser-class discovery against widely-embedded C libraries (libpng, zlib, libxml2) is now cheap enough to expect more of — treat embedded-parser memory safety as an accelerating attack surface. Maps to T1203 (Exploitation for Client Execution).

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.