Anthropic's Unreleased Claude Mythos AI Discovers Decades-Old Linux/OpenBSD Bugs, Launches Project Glasswing

Anthropic's Unreleased Claude Mythos AI Discovers Decades-Old Linux/OpenBSD Bugs, Launches Project Glasswing

N
News Editor 01
2026-07-10 00:52:13
Anthropic's unreleased Claude Mythos Preview AI discovered thousands of zero-day vulnerabilities across major OSes and browsers, including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw. The company launched Project Glasswing with 11 partners and $100M in AI credits for defenders, but less than 1% of bugs are fixed.
AnthropicClaude Mythoszero-day vulnerabilitycybersecurityProject Glasswing

Anthropic's yet-unreleased Claude Mythos Preview model has autonomously uncovered thousands of critical zero-day vulnerabilities across all major operating systems and web browsers, the company announced on April 9, 2026. Among them are a 27-year-old integer overflow bug in OpenBSD's TCP SACK handling and a 16-year-old error in FFmpeg's H.264 decoder, both previously missed by millions of automated tests and multiple manual audits.

Benchmark Scores Far Surpass Predecessor

On the Cybergym benchmark, Claude Mythos achieved 83.1% accuracy, compared to 66.6% for Claude Opus 4.6. On SWE-bench Verified, Mythos scored 93.9% vs. 80.8%; on SWE-bench Pro, it reached 77.8% vs. 53.4% — a 24-point gap. On Humanity's Last Exam (without tools), Mythos garnered 56.8%, while Opus managed 40.0%.

Mythos required no specialized cybersecurity training. It reads code in isolated containers, forms hypotheses about memory safety flaws, compiles and runs software, uses debuggers like Address Sanitizer, ranks files by exploit probability, and generates confirmed bug reports with working proof-of-concept exploits. In tests against Firefox 147's JavaScript engine, Mythos produced 181 full shell exploits and 29 register control cases, while Claude Opus 4.6 output only two shell exploits.

Project Glasswing: A Defensive AI Coalition

In response to Mythos' capabilities, Anthropic launched Project Glasswing to steer the model toward defensive use. Founding partners include Amazon Web Services, Apple, Broadcom, Cisco, Crowdstrike, Google, JPMorganChase, Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, with access expanding to over 40 more organizations. Anthropic has allocated up to $100 million in Mythos usage credits for defenders.

Currently, fewer than 1% of discovered vulnerabilities have been fully patched. Anthropic is coordinating responsible disclosure, publishing SHA-3 cryptographic commitments for unfixed issues, and adhering to a 90+45-day timeline before full publication. Already disclosed is the 17-year-old FreeBSD NFS remote code execution vulnerability (CVE-2026-4747), allowing unauthenticated root access.

Open Source Donations and Political PAC

Anthropic also pledged $4 million for open-source security: $2.5 million to Alpha-Omega via the Linux Foundation's OpenSSF, and $1.5 million to the Apache Software Foundation. On April 3, the company registered its first employee-funded political action committee, AnthroPAC, with the Federal Election Commission, anticipating a midterm election focused on AI regulation.

The company acknowledged that AI tools like Mythos lower the barrier for vulnerability discovery and exploitation, warning of short-term risks from nation-states (China, Iran, North Korea, Russia) and criminal groups if similar capabilities proliferate unchecked. Future Claude Opus releases will include safeguards to detect and block dangerous cybersecurity outputs, and a dedicated cyber-vetting program for verified security professionals is planned. A public report on partner findings and patched vulnerabilities is expected within 90 days.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.