Nexo Earn with Nexo
Anthropic’s Project Glasswing uncovers over 10,000 software vulnerabilities using Claude AI

Anthropic’s Project Glasswing uncovers over 10,000 software vulnerabilities using Claude AI

The AI lab's unreleased Claude Mythos Preview model found decades-old zero-day flaws in major operating systems and browsers in just one month.

Share

Add us on Google
by Editorial Team

Anthropic just demonstrated what happens when you point a sufficiently powerful AI model at the world’s software and tell it to find every crack in the foundation. The answer: more than 10,000 high- and critical-severity vulnerabilities, many of them previously unknown zero-days lurking in major operating systems and web browsers.

Project Glasswing, the AI safety company’s proactive defense initiative, launched on April 7, 2026. By May 22, roughly six weeks later, the project’s Claude Mythos Preview model had already surfaced a staggering volume of security flaws that human researchers might have taken years to catalog.

What Claude Mythos Preview actually found

The vulnerabilities weren’t trivial edge cases buried in obscure software libraries. They affected foundational infrastructure: the operating systems and browsers that billions of people use daily.

Advertisement

Among the discoveries were a 27-year-old vulnerability in OpenBSD, a system long considered one of the most security-conscious operating systems in existence, and a 16-year-old flaw in FFmpeg, the open-source multimedia framework that quietly powers video processing across countless applications and platforms.

The majority of the discovered flaws were classified as zero-days, meaning they were previously unknown to the software vendors and security community.

How it works and who has access

Claude Mythos Preview demonstrated what Anthropic described as remarkable autonomous capabilities. The model didn’t just identify individual vulnerabilities in isolation. It was able to chain them together and develop working exploits, a process that typically requires elite human security researchers working over extended periods.

Anthropic has restricted access to Claude Mythos Preview, making it available only to vetted partners rather than releasing it broadly. Those partners include AWS, Apple, Google, and Microsoft, combining resources to secure critical infrastructure before the discovered vulnerabilities can be exploited by malicious actors.

The patching bottleneck

Project Glasswing has surfaced a reality that the cybersecurity industry has been nervously anticipating: the rate at which AI can find vulnerabilities now dramatically exceeds the speed at which humans can patch and verify fixes. Software vendors typically operate on disclosure timelines measured in weeks or months. When a single AI model generates thousands of critical findings in that same window, the entire remediation pipeline becomes a bottleneck.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
NEWS

Anthropic’s Project Glasswing uncovers over 10,000 software vulnerabilities using Claude AI

Anthropic’s Project Glasswing uncovers over 10,000 software vulnerabilities using Claude AI

The AI lab's unreleased Claude Mythos Preview model found decades-old zero-day flaws in major operating systems and browsers in just one month.

by Editorial Team

Share

Add us on Google

Anthropic just demonstrated what happens when you point a sufficiently powerful AI model at the world’s software and tell it to find every crack in the foundation. The answer: more than 10,000 high- and critical-severity vulnerabilities, many of them previously unknown zero-days lurking in major operating systems and web browsers.

Project Glasswing, the AI safety company’s proactive defense initiative, launched on April 7, 2026. By May 22, roughly six weeks later, the project’s Claude Mythos Preview model had already surfaced a staggering volume of security flaws that human researchers might have taken years to catalog.

What Claude Mythos Preview actually found

The vulnerabilities weren’t trivial edge cases buried in obscure software libraries. They affected foundational infrastructure: the operating systems and browsers that billions of people use daily.

Advertisement

Among the discoveries were a 27-year-old vulnerability in OpenBSD, a system long considered one of the most security-conscious operating systems in existence, and a 16-year-old flaw in FFmpeg, the open-source multimedia framework that quietly powers video processing across countless applications and platforms.

The majority of the discovered flaws were classified as zero-days, meaning they were previously unknown to the software vendors and security community.

How it works and who has access

Claude Mythos Preview demonstrated what Anthropic described as remarkable autonomous capabilities. The model didn’t just identify individual vulnerabilities in isolation. It was able to chain them together and develop working exploits, a process that typically requires elite human security researchers working over extended periods.

Anthropic has restricted access to Claude Mythos Preview, making it available only to vetted partners rather than releasing it broadly. Those partners include AWS, Apple, Google, and Microsoft, combining resources to secure critical infrastructure before the discovered vulnerabilities can be exploited by malicious actors.

The patching bottleneck

Project Glasswing has surfaced a reality that the cybersecurity industry has been nervously anticipating: the rate at which AI can find vulnerabilities now dramatically exceeds the speed at which humans can patch and verify fixes. Software vendors typically operate on disclosure timelines measured in weeks or months. When a single AI model generates thousands of critical findings in that same window, the entire remediation pipeline becomes a bottleneck.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.