vulnerability-discovery

One week after Anthropic launched Project Glasswing to let 50+ organizations test its Claude Mythos vulnerability-finding model, the actual CVE count remains unknown. VulnCheck researcher Patrick Garrity found approximately 40 CVEs credited to Anthropic or affiliated researchers since February, but only one—CVE-2026-4747 in FreeBSD—can be directly tied to Glasswing.

Anthropic has launched Mythos, an AI model the company claims can identify and exploit zero-day vulnerabilities with significant capability. The model has not been released publicly, with Anthropic citing security concerns. The announcement raises questions about the model's actual capabilities versus pre-IPO positioning.

Anthropic has announced Project Glasswing, restricting its new frontier model Claude Mythos Preview to defensive cybersecurity purposes through a coalition of 11 partners including AWS, Apple, Google, and Microsoft. The model has autonomously discovered thousands of high-severity vulnerabilities in major operating systems and web browsers—including a 27-year-old bug in OpenBSD and a 16-year-old vulnerability in FFmpeg—and can exploit them with 83.1% reliability on known vulnerabilities.