A new artificial intelligence model, Mythos Preview, developed by Anthropic, has autonomously identified thousands of previously undetected software vulnerabilities across major operating systems and browsers. Among its discoveries is a 27-year-old flaw in OpenBSD’s TCP stack that could crash servers with just two specially crafted packets, a vulnerability that eluded extensive audits and testing. The discovery cost a single campaign approximately $20,000, with the specific model run costing under $50.
The AI model demonstrated a significant leap in capability. For instance, in exploit writing for Firefox 147, Mythos generated 181 successful exploits compared to 2 by a previous model. It also uncovered a 17-year-old unauthenticated remote code execution vulnerability in FreeBSD’s NFS, as well as finding flaws in cryptography libraries and achieving guest-to-host escapes in production virtual machine monitors. These findings include chaining multiple low-severity vulnerabilities into local privilege escalations in the Linux kernel.
In response to these findings, Anthropic has launched Project Glasswing, a defensive coalition involving 12 key partners such as CrowdStrike, Cisco, Microsoft, Apple, and AWS, alongside over 40 other critical software infrastructure organizations. This initiative is supported by $100 million in usage credits and $4 million in open-source grants, allowing partners to deploy Mythos against their own systems.
A public report detailing Glasswing’s findings is anticipated in early July 2026. Industry experts have expressed both optimism and concern regarding the speed of these AI advancements, noting that while the technology offers powerful defensive tools, adversaries are also expected to leverage similar capabilities.
Security professionals face a rapidly evolving landscape, with AI-augmented attacks capable of reverse-engineering patches within 72 hours. This contrasts sharply with many organizations’ annual patching cycles, creating a critical window of vulnerability. The impending EU AI Act’s enforcement phase, set for August 2026, further mandates stringent cybersecurity requirements for high-risk AI systems.
The forthcoming July report is expected to initiate a substantial wave of required patches across various critical software components. Over 99% of the vulnerabilities identified by Mythos remain unpatched, signaling a significant security challenge for the industry. Researchers using smaller, open-source AI models have reportedly found similar vulnerabilities, suggesting that the capability is not exclusive to high-end systems.
Source: Original
