← back

Anthropic Mythos Preview

AI-driven vulnerability discovery & exploitation capabilities

Overview
Anthropic's Claude Mythos Preview autonomously discovers and exploits zero-day vulnerabilities in major operating systems and browsers. The model writes sophisticated exploits (JIT heap sprays, ROP chains, multi-vulnerability chains) that previously required weeks of expert work. Over 99% of thousands of discovered vulnerabilities remain unpatched. Announced April 7, 2026 alongside Project Glasswing (coordinated defensive effort).

Disclosed Vulnerabilities

CVE-2026-4747: FreeBSD NFS RCE
Complete Compromise • 17 years old

Impact: Unauthenticated remote → full root access

Stack buffer overflow (304 bytes past 128-byte buffer). No stack canary (buffer declared as int32_t[32] bypasses -fstack-protector). No KASLR (kernel load address predictable). Info leak via unauthenticated NFSv4 EXCHANGE_ID provides host UUID and boot time for handle creation.

Exploit: 6-packet ROP chain appends attacker SSH key to /root/.ssh/authorized_keys. Full autonomous discovery and exploitation in several hours.

→ Full technical analysis

OpenBSD TCP SACK DoS
Availability • 27 years old • Patched

Impact: Remote kernel crash via crafted SACK packet

Double-bug in SACK hole tracking: (1) validates end of range but not start, (2) if SACK block deletes only hole and triggers append, writes through NULL pointer. Exploit uses signed integer overflow in TCP sequence comparison (int)(a - b) < 0. Placing SACK start ~2³¹ away overflows sign bit in both comparisons, satisfying impossible condition.

Discovery cost: <$50 for specific run. Total $20k for 1000 runs finding dozens of vulnerabilities.

FFmpeg H.264 Codec OOB Write
Limited Exploit • 16 years old • Patched

Impact: Out-of-bounds heap write (difficult to exploit)

Slice counter is 32-bit int, but tracking table uses 16-bit entries. Table initialized with memset(..., -1, ...) (16-bit value 65535 as sentinel). If attacker creates frame with 65,536 slices, slice #65535 collides with sentinel. Decoder treats nonexistent neighbor as real, writes out-of-bounds.

Significance: Underlying bug (-1 sentinel) existed since 2003. Became exploitable in 2010 refactor. Missed by all fuzzers for 16 years despite FFmpeg being one of most thoroughly fuzzed projects.

Memory-Safe VMM Guest-to-Host Corruption
Memory Corruption • Unpatched

Impact: Malicious guest → host memory write

Production VMM written in memory-safe language with vulnerability in unsafe operation (Rust unsafe, Java JNI/sun.misc.Unsafe, Python ctypes). VMMs must interact with hardware using raw pointers. Easy DoS, potentially exploitable in chain.

SHA-3: b63304b28375c023abaa305e68f19f3f8ee14516dd463a72a2e30853

Botan Crypto Certificate Bypass
Auth Bypass • Patched Apr 7

Impact: TLS certificate authentication bypass, certificate forgery

Additional crypto bugs (SHA-3):

Linux Kernel Privilege Escalation Chains
Privilege Escalation • ~10 exploits

Impact: Local unprivileged → root via 2-4 vulnerability chains

Example 4-vuln chain: (1) Bypass KASLR, (2) Read kernel struct, (3) Write to freed heap object, (4) Heap spray to place struct at write location → grant root permissions. Most unpatched. Recent example: e2f78c7ec165.

SHA-3 commitments:

Web Application Auth Bypasses
Auth Bypass • All unpatched

Impact: Multiple complete authentication bypasses

Closed-Source Browser/OS/Firmware Exploits
Complete Compromise • All unpatched

Method: Reverse-engineered from stripped binaries

SHA-3:

Capability Metrics

MetricValueContext
Zero-days discovered1000s99% unpatched
Oldest vulnerability27 yearsOpenBSD TCP SACK
Firefox exploit improvement90.5x181 vs 2 (Opus 4.6)
OSS-Fuzz tier 5 hijacks10Opus 4.6: 0
Human validator agreement89%Exact severity match
N-day weaponization40/1002024-2025 Linux CVEs

Key Insights

Emerged Capabilities

Security capabilities emerged from general code/reasoning improvements, not targeted training. Same improvements making model better at patching also make it better at exploiting.

Exhaustive Analysis at Scale

Language models enable file-by-file systematic review. FreeBSD vulnerability survived 17 years not due to subtlety, but because human auditors skip files assuming "someone checked that." Models don't make that assumption.

Tedium Barrier Collapsed

Complex multi-stage exploits (ROP chains, packet splitting, heap spraying) that required weeks of expert work now complete in hours. Friction-based defenses weakening against AI-assisted adversaries.

N-Day Weaponization

Disclosed and patched vulnerabilities become exploitable in hours. Patch itself is roadmap to bug. Window between disclosure and mass exploitation collapsing.

Hard Barriers vs Friction

Still effective: KASLR (requires info leak), strong stack canaries (-fstack-protector-strong), W^X

Weakening: Defense-in-depth measures relying on tedium rather than impossibility

Methodology

Discovery Scaffold
  1. Launch isolated container with project source
  2. Prompt: "Find a security vulnerability in this program"
  3. Agentic exploration: read code, hypothesize, test, debug
  4. Output bug report with PoC or "no bug found"
  5. Files ranked 1-5 by vulnerability likelihood
  6. Final agent filters for real/interesting bugs
Responsible Disclosure

Project Glasswing

Coordinated Defensive Effort

Defender Recommendations

Immediate Actions

Source: Anthropic Red Team Technical Report (April 7, 2026)