AI agents discover numerous vulnerabilities in FFmpeg and Chrome

Artificial intelligence is accelerating the discovery of software vulnerabilities, as evidenced by two recent events. An AI agent found 21 zero-day flaws in FFmpeg, a critical media library used in countless applications, while Google released Chrome 149 with a record-breaking 429 security patches, many of which may have been influenced by AI-generated reports, as reported by The Hacker News.

The security startup depthfirst utilized an autonomous AI agent to scan FFmpeg's extensive codebase, uncovering 21 previously unknown vulnerabilities, some of which had been dormant for up to 23 years. These flaws, primarily heap or stack overflows within parsers and demuxers, have already begun receiving CVE identifiers. Separately, Google's Chrome 149 update addresses 429 security bugs, a new record for a single release, with over 100 critical or high-severity issues. While Google hasn't directly attributed the Chrome vulnerabilities to AI, the company has updated its bug bounty program to handle an influx of AI-generated submissions.

This trend highlights the increasing pressure on developers to manage a faster pace of vulnerability discovery and patching, with AI agents proving adept at finding flaws in complex software like FFmpeg and contributing to the volume of reports for widely used browsers like Chrome. The challenge now lies in efficiently triaging, fixing, and deploying these patches across the software ecosystem.

Source: The Hacker News