Claude Mythos Preview: Anthropic’s Unreleased AI Cracked Linux and OpenBSD Bugs Humans Missed for Decades

Key Takeaways:

• Anthropic’s Claude Mythos Preview scored 83.1% connected Cybergym, uncovering thousands of zero-days crossed each large OS and browser.
• Project Glasswing launched April 7, 2026, with 11 founding partners and up to $100 cardinal successful Mythos usage credits for defenders.
• A 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug survived millions of automated tests until Mythos recovered them successful hours.

Claude Mythos AI Scored 83% connected Cybergym and Found Critical Flaws Across Every Major Browser and OS

The model, which Anthropic describes arsenic the largest single-model capableness summation successful frontier AI history, completed grooming and was announced publically connected April 7, 2026, aft interior details surfaced successful precocious March done a misconfigured contented absorption strategy that exposed astir 3,000 interior files.

Anthropic is not releasing the Claude Mythos Preview to the nationalist oregon done its wide API. The institution restricted entree to a vetted radical of partners aft the exemplary demonstrated it could observe and exploit chartless bundle flaws antecedently astatine a velocity and standard that outpaces some quality experts and anterior AI systems.

On cybersecurity benchmarks, the spread betwixt Mythos and Claude Opus 4.6 is hard to ignore. Mythos scored 83.1% connected Cybergym versus 66.6% for Opus 4.6, and 93.9% versus 80.8% connected SWE-bench Verified. On SWE-bench Pro, it posted 77.8% against 53.4% — a 24-point spread. It deed 56.8% connected Humanity’s Last Exam without tools, compared to 40.0% for its predecessor.

The exemplary does not request cybersecurity-specific grooming to find these bugs. Its gains travel from broader advances successful reasoning, multi-step planning, and autonomous agentic behavior. Given a people codebase successful an isolated container, it reads root code, forms hypotheses astir memory-safety flaws, compiles and runs the software, uses debuggers similar Address Sanitizer, ranks files by vulnerability likelihood, and produces validated bug reports with moving proof-of-concept exploits.

Some of those exploits required astir nary quality direction. Tomshardware.com reports that a 27-year-old OpenBSD TCP SACK vulnerability, a subtle integer overflow that lets an attacker remotely clang immoderate responding big by crafting malicious packets, was recovered autonomously aft astir 1,000 runs astatine a full outgo nether $20,000. A 16-year-old FFmpeg H.264 bug survived much than 5 cardinal automated tests and aggregate audits earlier Mythos caught it.

The browser results drew peculiar attention. On Firefox 147 JavaScript motor testing, Mythos produced 181 afloat ammunition exploits and 29 register-control cases. Claude Opus 4.6 produced 2 ammunition exploits crossed the aforesaid trial set. The exemplary besides built moving Linux kernel privilege-escalation chains, idiosyncratic to basal connected servers, aft filtering 100 caller CVEs down to 40 exploitable candidates and successfully exploiting much than half.

Human validators reviewed 198 of the model’s vulnerability reports and agreed with its severity ratings 89% of the time, with 98% statement wrong 1 severity level.

Project Glasswing

Fewer than 1% of the identified bugs person been afloat patched truthful far. Anthropic is coordinating liable disclosure, publishing cryptographic SHA-3 commitments for unpatched issues, and pursuing a 90-plus-45-day timeline earlier releasing afloat details. FreeBSD NFS server distant codification execution bug CVE-2026-4747, 17 years old, granting afloat unauthenticated basal access, is among the named examples already successful disclosure.

Project Glasswing, announced alongside the model, is Anthropic’s effort to nonstop these capabilities toward defence earlier akin tools go wide available. Founding partners see Amazon Web Services, Apple, Broadcom, Cisco, Crowdstrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. Access is being extended to much than 40 further captious bundle organizations.

Anthropic committed $4 cardinal successful open-source information donations: $2.5 cardinal to Alpha-Omega done the OpenSSF via the Linux Foundation, and $1.5 cardinal to the Apache Software Foundation.

The institution acknowledged that AI tools similar Mythos little the obstruction for uncovering and exploiting vulnerabilities, and flagged near-term hazard from authorities actors, China, Iran, North Korea, and Russia, and transgression groups if akin capabilities dispersed without controls. It described a play of transitional turmoil earlier defenders afloat integrate the technology.

Anthropic said upcoming Claude Opus releases volition see safeguards to observe and artifact unsafe cybersecurity outputs, and plans to present a Cyber Verification Program for vetted information professionals. A nationalist study connected spouse findings and patched vulnerabilities is expected wrong 90 days.