Valtik Studios
Back to blog
Anthropicinfo2026-04-1615 min

Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.

Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.

What Anthropic announced

In April 2026, Anthropic released Claude Mythos Preview and launched Project Glasswing. Committed $100 million in usage credits plus $4 million to open-source security. Over 40 partners including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, and Palo Alto Networks.

What Mythos actually does

Automated vulnerability research across 1,000 open-source repositories (7,000 entry points). Previous models reached tier 1 on 150-175 cases. Mythos achieved 595 crashes across tiers 1-2, plus 10 full control flow hijacks on patched targets (tier 5, meaning complete arbitrary code execution).

CVE-2026-4747

A 17-year-old remote code execution in FreeBSD NFS. Found fully autonomously. Unauthenticated root access from anywhere on the internet. In a codebase audited by world-class researchers for nearly two decades.

"Autonomous" means: given a clear objective, source code access, and compute. It did not decide to look at FreeBSD on its own. It systematically generated inputs, observed outputs, and refined based on feedback.

This is fuzzing, not thinking

What Mythos does is functionally equivalent to what human security researchers do when fuzzing, at humanly impossible speed and scale. The same mechanism that lets ChatGPT complete a sentence lets Mythos identify vulnerable code paths. Pattern recognition on code instead of text.

What this means

Genuinely valuable for defensive security. Will accelerate patching. But if Anthropic can build this, nation-states can too. The race is whether defenders patch faster than attackers exploit.

Mythos is not sentient, conscious, or capable of understanding code. It is automated fuzzing taken to a scale no prior model reached. A real advancement that requires human direction and oversight.

Sources

  1. Anthropic, "Project Glasswing" (April 2026)
  2. Anthropic Red Team Evaluation (April 2026)
  3. Fortune, "Claude Mythos and Project Glasswing" (April 2026)
  4. CVE-2026-4747, FreeBSD NFS RCE
ai securityanthropicmythosvulnerability researchthreat intelligencecvezero-dayresearch

Want us to check your Anthropic setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Related Reading
AI18 min
Your AI Chatbot Is a Fancy Calculator. Here Is Why.
LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecur
Supply Chain16 min
A Hacker Spent Two Years Earning Trust to Backdoor the Internet
The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned int
Encryption16 min
Your Encryption Has an Expiration Date
Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacem