Anthropic's Mythos AI Model Triggers Global Security Alarm After Finding Unpatched Vulnerabilities

Anthropic has triggered responses from governments, central banks, and cybersecurity officials worldwide after announcing Claude Mythos Preview, its most capable AI model to date. The company says the model can identify and exploit critical security vulnerabilities across all major operating systems and web browsers. Access has been restricted to a small group of vetted partners under a program Anthropic calls Project Glasswing.

Mythos Found Critical Bugs Hiding in Plain Sight for Decades

According to Anthropic's technical report, Mythos identified critical vulnerabilities across every major operating system and web browser during internal testing. Of those vulnerabilities, 99 percent remain unpatched. Specific findings include:

• A 27-year-old bug in OpenBSD that allows a remote attacker to crash any host responding over TCP
• A 16-year-old vulnerability in FFmpeg's H.264 codec, present since a 2003 commit and missed by every fuzzer and human reviewer since
• A 17-year-old remote code execution flaw in FreeBSD's NFS server, triaged as CVE-2026-4747, which Mythos identified and fully exploited autonomously with no human involvement after an initial prompt
• Critical vulnerabilities in major cryptography libraries covering TLS, AES-GCM, and SSH implementations
• Exploitable weaknesses in virtual machine monitors used across public cloud infrastructure
• Vulnerabilities in every major web browser, none of which have been patched

Anthropic says these capabilities were not explicitly trained into Mythos but emerged as a downstream result of general improvements in code, reasoning, and autonomy.

Source: Mythos Preview

How Far Ahead of Previous Models Mythos Actually Is

• Mythos achieved full control flow hijack on 10 separate, fully patched targets in internal benchmarks, compared to a single tier-3 crash for Opus 4.6
• In a Firefox exploit benchmark, Mythos produced 181 working exploits across several hundred attempts, compared to 2 for Opus 4.6
• Human validators agreed with Claude's severity assessment in 89% of 198 manually reviewed reports, with 98% within one severity level
• Finding the critical OpenBSD bug across 1,000 scaffold runs cost under $20,000 total
• A complete Linux kernel privilege escalation exploit was built in under half a day at under $1,000

Governments and Central Banks Begin Scrambling

CBC News reported that the Bank of England's governor warned publicly that Anthropic may have found a way to "crack the whole cyber-risk world open." British authorities held talks with major banks and cybersecurity officials.

• The European Central Bank began questioning banks about their defenses.
• Canada's finance minister compared the threat to the closure of the Strait of Hormuz.
• Bloomberg reported the U.S. government is planning to make a version of Mythos available to major federal agencies.

Anthropic CEO Dario Amodei met with White House officials following the announcement.

Mythos Was Breached Hours After Launch

Bloomberg reported that within hours of the announcement, a group on Discord gained unauthorized access to a version of Mythos by reverse-engineering Anthropic's internal naming conventions. Anthropic confirmed on Tuesday that it was investigating the report.

Access Scope and Anthropic’s Defense Guidance

Anthropic has shared Mythos with more than 40 organizations involved in critical global infrastructure. Outside the United States, only Britain has been given access. Named partners pledged to help develop security fixes, including Amazon, Apple, and Microsoft. The company says it expects other AI labs to release models with similar cyber capabilities within at least 18 months.

Anthropic advises defenders to begin using currently available frontier models, such as Claude Opus 4.6, for vulnerability discovery now, shorten patch cycles, automate incident response pipelines, and update coordinated vulnerability disclosure policies ahead of broader model availability.

The World Economic Forum noted the Mythos episode reinforces warnings from its Global Cybersecurity Outlook 2026 and said coordinated responses will be central at its Annual Meeting on Cybersecurity in May 2026.

Anthropic says it has no immediate timeline for expanding access to Mythos more broadly

Also Read

• Anthropic Tests Higher Pricing for Claude Code as Usage Surges
• Anthropic Launches Claude Design for Teams to Create Prototypes, Decks, and Landing Pages
• Anthropic Launched Claude Opus 4.5 — New Flagship Model for Coding and Complex AI Workflows
• OpenAI Closes Record $122 Billion Funding Round at $852 Billion Valuation
• Google Launches Gemma 4, Its Most Capable Open Model Family