Anthropic's Claude Mythos CVE count remains unclear as Project Glasswing participants stay silent
One week after Anthropic launched Project Glasswing to let 50+ organizations test its Claude Mythos vulnerability-finding model, the actual CVE count remains unknown. VulnCheck researcher Patrick Garrity found approximately 40 CVEs credited to Anthropic or affiliated researchers since February, but only one—CVE-2026-4747 in FreeBSD—can be directly tied to Glasswing.
Anthropic's Claude Mythos CVE count remains unclear as Project Glasswing participants stay silent
One week after Anthropic announced Project Glasswing, the number of vulnerabilities discovered by its Claude Mythos model remains largely unknown. According to VulnCheck researcher Patrick Garrity, the actual CVE count is "maybe 40, or maybe none at all."
What we know about Project Glasswing
Anthropic announced Claude Mythos Preview on April 7, 2026, claiming the model can find and develop exploits for zero-day vulnerabilities "in every major operating system and every major web browser." Rather than releasing the model publicly, Anthropic launched Project Glasswing, allowing approximately 50 selected organizations to test the model on their own products.
Confirmed participants include Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, and Intel.
The CVE database search
Garrity searched the CVE database—which contains over 327,000 records—for any entries containing "Anthropic" from February 2026 onward. His findings:
- 75 total CVE records mentioning Anthropic
- 35 CVEs affect Anthropic's own tools (Claude Code, MCP Inspector, third-party integrations)—not Glasswing discoveries
- 40 CVEs credited to Anthropic or Anthropic-affiliated researchers—potentially Glasswing finds, but unconfirmed
The 40 potential Glasswing CVEs break down as:
- 28 CVEs in Mozilla Firefox
- 9 CVEs in wolfSSL embedded SSL/TLS library
- 1 CVE in F5's NGINX Plus
- 1 CVE in FreeBSD (CVE-2026-4747)
- 1 CVE in OpenSSL
Only one confirmed Glasswing CVE
CVE-2026-4747, a remote code execution bug in FreeBSD, is the only publicly disclosed vulnerability directly tied to Project Glasswing. The CVE record credits "Nicholas Carlini using Claude, Anthropic." According to Anthropic's blog, "Mythos Preview fully autonomously identified and then exploited a 17-year-old remote code execution vulnerability in FreeBSD that allows anyone to gain root on a machine running NFS."
Anthropic has also claimed Mythos Preview found:
- A now-patched 27-year-old bug in OpenBSD (no CVE assigned)
- A 16-year-old FFmpeg bug (no CVE assigned)
- Linux kernel privilege escalation chains (no CVE assigned)
None of these have been assigned CVE identifiers.
Transparency concerns
Garrity noted that the three distinct credit attributions in the database—Anthropic research team, Nicholas Carlini individually, and Calif.io (running "MADBugs" program)—make it difficult to determine which vulnerabilities are actually Glasswing discoveries.
"The full picture won't be known until public disclosure takes place and Anthropic has indicated a public summary report is expected around July 2026," Garrity wrote. He suggested Anthropic create a dedicated security advisory page for consistent vulnerability disclosure.
What this means
Anthropic made bold claims about Claude Mythos's vulnerability discovery capabilities, stating it would "cause mass chaos and break the internet" if released publicly. However, one week into Project Glasswing, the actual impact remains unverifiable. With only one confirmed CVE directly linked to the program and a promised public report not expected until July 2026, the industry lacks concrete data to evaluate whether Claude Mythos represents a genuine breakthrough in automated vulnerability discovery or primarily generates marketing value through secrecy.
Related Articles
Anthropic offers K-12 teachers free year of Claude Pro with educational tools through June 2027
Anthropic launched Claude for Teachers, offering K-12 educators in the United States free access to premium Claude features for one year. The program includes Claude Cowork, Claude Code, and education-focused skills developed with Learning Commons, with applications open until June 30, 2027.
Anthropic launches rupee pricing for Claude in India at ₹2,000/month, its second-largest market
Anthropic has begun displaying rupee-denominated pricing for Claude subscriptions in India, its second-largest market after the US with 5.8% of global usage. Claude Pro is priced at ₹2,000 ($21) monthly when billed annually, compared to $17 in the US, with Indian prices including local taxes.
Anthropic extends Claude Fable 5 access through July 19 amid GPT-5.6 Sol competition
Anthropic has extended Claude Fable 5 access on all paid plans through July 19, 2026, marking another extension of the advanced model's availability. The extension comes after OpenAI released GPT-5.6 Sol, which is classified in the same Fable/Mythos model tier.
Anthropic adds sandboxed in-app browser to Claude Code desktop app
Anthropic has added an in-app browser to Claude Code's desktop application. The sandboxed browser allows Claude to read, click through, and interact with documentation, designs, and local development servers, with configurable session persistence.
Comments
Loading...