Anthropic has disclosed that a specialised internal AI model, internally designated Claude Mythos, has identified thousands of previously unknown security vulnerabilities across virtually every major operating system, browser, and widely-deployed software library. The findings have been verified through coordinated disclosure with affected vendors. Anthropic has simultaneously established Project Glasswing — a private programme providing early access to Mythos-generated vulnerability intelligence to a select group of major technology companies — to manage the operational reality of disclosing this volume of findings through standard processes.
What Was Found
Claude Mythos approaches vulnerability research through code reasoning rather than pre-defined test cases: the model analyses code structure, identifies classes of insecure patterns, and generates targeted exploits to confirm reachability. Among the confirmed findings disclosed publicly are:
- CVE-2026-4747 — a 17-year-old unauthenticated remote code execution vulnerability in FreeBSD’s NFS server implementation, present since 2009, reachable from the network without credentials
- A 27-year-old denial-of-service vulnerability in OpenBSD’s TCP SACK handling, present since OpenBSD’s initial TCP stack implementation in the late 1990s
- A 16-year-old memory corruption flaw in FFmpeg’s H.264 decoder, triggerable via crafted video streams
These are not obscure edge cases. FreeBSD NFS is widely deployed in NetApp storage appliances, BSD-based network devices, and enterprise NAS infrastructure. FFmpeg underlies video processing in browsers, mobile platforms, streaming services, and broadcast infrastructure. The age of these vulnerabilities means they survived every prior manual code review, traditional fuzzing campaign, and static analysis pass applied to this code over decades.
Project Glasswing
Anthropic structured private early access through Project Glasswing because standard 90-day coordinated disclosure timelines become operationally unworkable when thousands of vulnerabilities are identified simultaneously. Confirmed Glasswing participants include Microsoft, Google, Apple, Amazon Web Services, Cisco, NVIDIA, JPMorgan Chase, and the Linux Foundation. Each receives advance notice of vulnerabilities in their own products, along with technical details sufficient to develop patches before public release.
This is a rational triage response to an unprecedented volume of findings, but it is explicitly a delay mechanism rather than a remediation mechanism. Glasswing gives major vendors more runway before a public disclosure deadline; it does not change patch deployment timelines for the broader enterprise customer base.
Enterprise Risk Implications
Legacy software carries invisible accumulated risk. The 17- and 27-year-old vulnerabilities found by Mythos demonstrate that software security posture cannot be inferred from age, review history, or audit count. A codebase running correctly for two decades does not imply absence of exploitable flaws — it implies they have not yet been found.
Patching velocity is now the primary risk variable. If AI-assisted vulnerability research dramatically compresses the time between “flaw exists” and “flaw is known to adversaries,” the gap between patch availability and enterprise deployment becomes the dominant risk factor. The 2025–2026 pattern of sustained exploitation of months-old CVEs — documented in every CISA KEV tranche — shows that gap is already dangerously wide for many organisations.
AI tooling access by threat actors is not a theoretical future risk. The same reasoning capability that allows Mythos to find vulnerabilities at scale is available, in less refined form, to well-resourced criminal and nation-state groups now. Anthropic’s controlled programme buys time, but commodity AI vulnerability research tooling will not remain proprietary indefinitely. The asymmetry in discovery speed versus remediation speed already favours attackers even before AI-assisted discovery reaches its potential ceiling.
Governance and Compliance Questions
Security and legal teams should address several questions raised by the Glasswing model:
- Does advance notice affect disclosure obligations? If a Project Glasswing participant receives advance notice of a critical vulnerability in their product, fails to patch before public disclosure, and a breach results — does delayed remediation constitute a governance failure under NIS2, DORA, or applicable cyber regulations?
- Does your risk register reflect AI-accelerated vulnerability discovery? The assumption underlying most board-level cyber risk discussions — that material new vulnerabilities emerge at a manageable cadence — may no longer hold as a planning assumption.
- Are vendor SLAs still adequate? If your critical software vendors are receiving AI-identified zero-days via private disclosure programmes, ask them explicitly: what is their patch development timeline from private notification to general availability?
Recommended Actions
- Prioritise CVE-2026-4747 immediately: Any FreeBSD NFS infrastructure — including NetApp appliances and BSD-based network devices — should be assessed for exposure and patched as vendor guidance becomes available
- Audit FFmpeg versions across your environment: FFmpeg is embedded in a wide range of software components; inventory and update FFmpeg in applications, media processing pipelines, and browser-adjacent tooling
- Review patch SLAs: If your organisation measures critical patch deployment in weeks or months, model what a sustained increase in critical CVE disclosure frequency would mean for your backlog and risk exposure
- Update enterprise risk assessments: Brief the CISO and risk committee on the Glasswing disclosure — this represents a material change in the threat landscape that should be reflected in the enterprise risk register, cyber insurance renewal discussions, and board cyber risk reporting
Share this article