Anthropic Holds Advanced AI Model to Fix Critical Software Vulnerabilities
Anthropic said its latest AI model, Claude Mythos Preview, has identified thousands of high-severity vulnerabilities across every major operating system and web browser. Rather than release the model publicly, the company is restricting access to allow vendors to patch the bugs before competitors deploy similar tools without comparable safeguards.
The model's exploit-writing capabilities pose operational risks that Anthropic's team takes seriously. Claude Mythos Preview converted 72.4% of identified vulnerabilities into working exploits in Firefox's JavaScript shell, and achieved register control in another 11.6% of attempted attacks.
Real-World Examples of Discovered Vulnerabilities
Anthropic documented specific bugs that illustrate the threat level:
- A 27-year-old vulnerability in OpenBSD that would crash systems upon connection
- A 16-year-old bug in FFmpeg that automated testing tools missed five million times
- An exploit chain in the Linux kernel enabling root access to host systems
When tested against 7,000 entry points in open-source repositories, Claude Mythos Preview achieved full control flow hijack on ten separate, fully patched targets. Older Claude versions achieved this only once across similar testing.
Project Glasswing: Industry Coordination
Anthropic convened major technology companies under "Project Glasswing" to patch vulnerabilities before broader AI deployment. Participants include Amazon Web Services, Apple, Broadcom, Cisco, Google, Microsoft, Nvidia, and others. The company also extended access to over 40 additional organizations maintaining critical software infrastructure.
The U.S. government is receiving briefings on the model's offensive and defensive capabilities and implications for national security.
Patching Challenges Ahead
Fewer than 1% of the vulnerabilities Anthropic identified have been fully patched so far. The volume of discoveries has strained responsible disclosure timelines across the industry.
Anthropic will not release Claude Mythos Preview for general use. The company plans to document the model's behavior through a system card and make it available only to restricted partners, hoping this approach gives the industry time to prepare for similar models becoming commonplace.
For operations teams, the disclosure signals that vulnerability identification and patching cycles need to accelerate. Organizations managing critical infrastructure should expect AI-driven exploit discovery to become standard, not exceptional.
Learn more about AI for Operations and how teams can adapt to emerging security challenges.
Your membership also unlocks:
