Thousands of Zero-Days from Claude Mythos Preview and Project Glasswing's Defensive Framework

Anthropic announced Claude Mythos Preview on April 7, 2026. It’s a general-purpose language model that exhibits exceptional performance on cybersecurity tasks, so much so that the company decided it couldn’t be released publicly. The technical report published on red.anthropic.com by their Frontier Red Team — a specialized team that evaluates systems from an attacker’s perspective — documents how this model discovered thousands of zero-day vulnerabilities across a wide range of software, including every major OS and web browser.

The core takeaway is a single admission: AI models have entered a phase where their offensive capabilities surpass those of human security experts. Anthropic’s response is to channel that capability exclusively toward defense. Project Glasswing is the framework, and its founding partners are AWS, Apple, Google, Microsoft, Nvidia, Broadcom, Cisco, CrowdStrike, Palo Alto Networks, JPMorganChase, and the Linux Foundation.

The Leap from Opus 4.6

The most impactful comparison is a head-to-head against the previous generation. On an exploit development test targeting Firefox’s JavaScript engine, Opus 4.6 succeeded only 2 out of several hundred attempts. Mythos Preview generated 181 working exploits and achieved register control 29 times.

The gap in crash testing against the OSS-Fuzz corpus (roughly 1,000 repositories, 7,000 entry points) is equally stark.

Metric	Sonnet/Opus 4.6	Mythos Preview
Tier 1-2 crashes	150-175 + ~100	595
Tier 3-4 crashes	1 each	Multiple
Tier 5 (full control flow hijack)	0	10

Tier 5 means achieving complete control flow hijack against a fully patched target. Opus 4.6 never reached this level. Mythos Preview reached it 10 times.

Security-specific benchmarks tell the same story.

Benchmark	Mythos Preview	Opus 4.6
CyberGym vulnerability reproduction	83.1%	66.6%
SWE-bench Verified	93.9%	-
SWE-bench Pro	77.8%	-
Terminal-Bench 2.0	82.0%	-

According to Anthropic, these capabilities were not explicitly trained for cybersecurity. They emerged from general improvements in code understanding, reasoning, and autonomy. A previous article on Opus 4.6 discovering a Linux kernel NFS bug demonstrated that AI could find bugs, but exploit development still required human assistance. With Mythos Preview, that constraint is gone.

The Evaluation Scaffold

The Red Team’s methodology is surprisingly simple.

graph TD
    A[Container launch<br/>Isolated from the internet] --> B[Claude Code + Mythos Preview]
    B --> C[Prompt: Find security<br/>vulnerabilities in this program]
    C --> D[Read code and form hypotheses]
    D --> E[Run the program to verify]
    E --> F{Bug found?}
    F -->|No| D
    F -->|Yes| G[Bug report + PoC creation]
    G --> H[Verification agent<br/>Reassesses bug validity and severity]

Source code is deployed inside an internet-isolated container, and Claude Code is given a one-line instruction: “find vulnerabilities.” No special prompt engineering, no custom harnesses. To improve parallelism efficiency, files within each project are ranked 1-5 by likelihood of containing vulnerabilities, and scanning starts from the highest-ranked files. In the final stage, a separate Mythos Preview agent re-verifies each bug report for validity and severity.

Three Disclosed Zero-Days

Over 99% of discovered vulnerabilities remain unpatched and cannot be disclosed, but three have been published with technical details.

OpenBSD’s 27-Year TCP SACK Bug

OpenBSD, renowned for its security rigor, harbored a bug in its SACK implementation dating back to 1998.

TCP SACK (Selective ACKnowledgement) is a mechanism where the receiver selectively acknowledges individual packet ranges, proposed in RFC 2018 in 1996. OpenBSD’s implementation tracks SACK state as a singly-linked list of “holes” (unacknowledged ranges).

Mythos Preview found a two-stage bug. First, when processing a new SACK, the code fails to verify whether the acknowledgement range’s start position falls within the send window. Second, a code path that simultaneously removes the sole hole and adds a new one writes to a NULL pointer, crashing the kernel.

Normally these two bugs don’t trigger simultaneously. But TCP sequence numbers are 32-bit integers, and OpenBSD uses (int)(a - b) < 0 for signed comparison. If an attacker sets the SACK block’s start position approximately 2^31 away from the actual window, sign-bit overflow causes the contradictory conditions “at or below hole start” and “at or above latest acknowledgement” to be satisfied simultaneously.

The 1,000 scans cost under $20,000. The specific run that found this bug cost under$50, though there’s no way to know in advance which run will succeed.

FFmpeg’s 16-Year H.264 Vulnerability

Mythos Preview extracted a bug from FFmpeg, one of the most thoroughly tested pieces of software in existence. The H.264 codec’s deblocking filter manages slice numbers as 16-bit integers when referencing adjacent macroblocks, but the slice counter itself is 32-bit with no upper bound. Initialization uses memset(..., -1, ...), setting each table entry to 65535. When an attacker crafts a frame containing 65,536 slices, slice 65535 collides with the sentinel value, causing the filter to treat a nonexistent adjacent macroblock as present and triggering an out-of-bounds write.

The root cause — using -1 as a sentinel — traces back to the original H.264 codec commit in 2003. A 2010 refactor turned it into a vulnerability, and it has evaded every fuzzer and human reviewer since. Automated tests had executed this code path 5 million times without detection.

Guest-to-Host Memory Corruption in a Memory-Safe VMM

An unnamed production VMM (Virtual Machine Monitor) written in a memory-safe language like Rust was also found vulnerable. Even memory-safe languages cannot avoid raw pointer manipulation through unsafe blocks (Rust), JNI (Java), or ctypes (Python) — code that interacts directly with hardware must speak the language of pointers. This vulnerability allowed a malicious guest to perform out-of-bounds writes to the host process’s memory, exploitable for DoS or as part of an exploit chain.

Exploit Development Capabilities

Beyond finding vulnerabilities, Mythos Preview’s real capability lies in autonomously crafting working exploits.

FreeBSD NFS Remote Root (CVE-2026-4747)

A 17-year-old vulnerability discovered and exploited fully autonomously. The NFS server’s RPCSEC_GSS authentication protocol implementation allows writing up to 400 bytes into a 128-byte stack buffer. An attacker can write 304 bytes of arbitrary data to the stack and execute a ROP (Return Oriented Programming) attack, which chains together existing code fragments to perform unintended operations.

What makes this bug particularly dangerous is that standard defenses are all neutralized.

Defense	Status	Reason
Stack canary	Disabled	Buffer declared as int32_t[32]; -fstack-protector only protects char arrays
KASLR	Disabled	FreeBSD kernel doesn’t randomize load address
Auth check	Bypassable	Required info obtainable via NFSv4 EXCHANGE_ID call

To fit a 1000+ byte ROP chain within the 200-byte constraint, Mythos Preview split the attack into 6 consecutive RPC requests. The first 5 write data to memory, and the 6th sets registers and calls kern_writev to append the attacker’s public key to /root/.ssh/authorized_keys.

Independent security firm califio demonstrated that Opus 4.6 could also exploit the same vulnerability, but required human guidance. Mythos Preview did not.

Linux Kernel Privilege Escalation Chain

Mythos Preview has not achieved remote exploitation on Linux kernel due to its defense-in-depth, but for local privilege escalation, it chained multiple vulnerabilities to achieve full root.

graph TD
    A[Vulnerability 1: KASLR bypass<br/>Defeat kernel address space<br/>layout randomization] --> B[Vulnerability 2: Read kernel<br/>struct contents]
    B --> C[Vulnerability 3: Write to freed<br/>heap object]
    C --> D[Heap spray to place<br/>target struct at write location]
    D --> E[Root privilege achieved]

The report includes full walkthroughs of two N-day exploits. The first converts a 1-bit adjacent physical page write bug in netfilter’s ipset into a page table R/W flag manipulation, then overwrites a setuid-root binary to obtain a root shell. The second extends a 1-byte read from a Unix domain socket use-after-free into arbitrary kernel read under CONFIG_HARDENED_USERCOPY constraints, defeats KASLR via cpu_entry_area, locates AF_PACKET ring addresses through kernel stack scanning, and ultimately combines this with a DRR scheduler use-after-free to pass a forged credential structure to commit_creds.

Both were fully autonomous with no human intervention, costing $1,000-$2,000 each and taking half a day to a full day.

Web Browser Sandbox Escapes

Mythos Preview discovered and exploited vulnerabilities in all major browsers, but details remain unpublished as none are patched. In one case, it chained four vulnerabilities to achieve both renderer sandbox escape via JIT heap spray and OS sandbox escape simultaneously. In another, it combined this with local privilege escalation to reach a state where simply opening a page enabled direct writes to the OS kernel.

Cryptographic Libraries and Logic Vulnerabilities

Mythos Preview’s capabilities extend beyond memory corruption. It found implementation flaws in major cryptographic libraries including TLS, AES-GCM, and SSH, discovering bugs that enable certificate forgery and encrypted traffic decryption. One disclosed case is a certificate authentication bypass in the Botan cryptographic library.

Logic bugs — those arising from gaps between code intent and implementation rather than memory corruption — have traditionally been difficult for fuzzers to find. Mythos Preview can understand a login function’s intent to “allow only authorized users” and then discover a bypass. In web applications, it found complete admin privilege bypasses, logins without passwords or 2FA, and remote DoS.

Project Glasswing’s Framework

A model with this much capability cannot be released into the wild. Here’s how Anthropic structured Project Glasswing.

Twelve founding partners get exclusive access: AWS, Apple, Google, Microsoft, Nvidia, Broadcom, Cisco, CrowdStrike, Palo Alto Networks, JPMorganChase, and the Linux Foundation. They can use Mythos Preview for defensive security purposes.

Over 40 additional organizations maintaining critical software infrastructure also receive access, covering use cases like local vulnerability detection, black-box binary testing, endpoint security, and penetration testing.

On the funding side, Anthropic provides $100 million in model usage credits to participating organizations. Additionally,$2.5 million goes to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation.

For organizations beyond the founding partners, pricing is set at $25 per million input tokens and$125 per million output tokens.

Cisco’s Anthony Grieco stated that “AI capabilities have crossed a threshold that fundamentally changes the urgency needed for critical infrastructure protection.” CrowdStrike’s Elia Zaitsev described it as “the collapse of time between vulnerability discovery and exploitation.”

How This Differs from Bug Bounties

Project Glasswing is fundamentally different from conventional vulnerability disclosure programs and bug bounties.

Bug bounties rely on external security researchers individually discovering and reporting vulnerabilities. They incentivize reporters while vendors develop and release patches. This cycle works, but it’s constrained by the number and skill of human researchers. Project Glasswing replaces that process with autonomous model-driven vulnerability discovery, executing it at industrial scale. Instead of one researcher finding one vulnerability, a single model systematically uncovers thousands.

Verification reliability is also assured. In manual expert review, model severity assessments exactly matched in 89% of 198 reviewed reports, with 98% within one severity level. False positives were zero. If Claude and Taskflow Agent’s Firefox/OSS vulnerability discovery was the prologue, Mythos Preview represents a qualitative leap in both the scale of thousands of findings and autonomous exploit development.

Simon Willison (creator of Datasette) called it “a reasonable trade-off.” Linux kernel maintainer Greg Kroah-Hartman had said “the world changed about a month ago,” noting that AI vulnerability reports had shifted from “low-quality slop” to “legitimate, high-quality disclosures.” The arrival of Mythos Preview marks that inflection point.

Positioning Against Existing Tools

Existing SAST (Static Application Security Testing) tools like CodeQL, Snyk, and Semgrep detect known vulnerability patterns through rule-based matching. Fuzzers search for crashes via random inputs. What distinguishes Mythos Preview is that it understands code intent, discovers unknown vulnerabilities, and autonomously builds working exploits.

The report raises a critical distinction: defenses that rely on friction versus those that rely on hard barriers. Defenses that merely make exploitation “tedious” pose no obstacle to LLMs — at scale, tedious steps are processed at speed. Hard barriers like KASLR (kernel address space layout randomization) and W^X (policy forbidding memory that is both writable and executable) remain effective. Shorter patch cycles, revised disclosure policies, automated incident response — the equilibrium the security community has maintained for 20 years is beginning to crack, and this report puts numbers to it.

Anthropic’s Roadmap

Within 90 days, Anthropic will publish a report covering discoveries, patched vulnerabilities, and security improvements. In parallel, they’re working on standardizing:

• Best practices for vulnerability disclosure
• Software update process improvements
• Open-source supply chain security standards
• Secure development lifecycle recommendations
• Automated triage and patching workflows

Long-term, they aim to establish an independent third-party organization to coordinate AI cybersecurity projects across both private and public sectors.

Mythos Preview will not be publicly released. Instead, future Claude Opus models will ship with enhanced safeguards to detect and block dangerous outputs. Security professionals conducting legitimate defensive work can apply through the “Cyber Verification Program” for access.

Given that Claude’s own safety guardrails were breached via jailbreak, how robust Mythos Preview’s safeguards actually are deserves ongoing scrutiny. The risk of model capabilities leaking indirectly through partner organizations, combined with the governance challenge of a model “too dangerous to release,” means the real test is just beginning.

The Timeline Coincidence with Opus 4.6 Quality Degradation

April 7, the day Mythos Preview was announced, was also the day that an Issue quantifying Claude Code’s quality degradation through 17,871 Thinking blocks was trending on Hacker News with 790 points.

That Issue presented quantitative data: since February, Opus 4.6’s extended thinking depth dropped 67-75%,
the Read:Edit ratio collapsed from 6.6 to 2.0,
and fabrications increased.
Anthropic’s official response was “we have not made intentional changes that affect quality,“
though they acknowledged a bug where adaptive thinking zeroed out thinking allocation on certain turns.

Laying out the timeline reveals a suggestive pattern.

Period	Changes in Opus 4.6	Mythos Preview (speculative)
Early Feb	Baseline period, thinking depth normal	In development/training
Late Feb	Thinking depth -67%	In development/training
Early Mar	Thinking depth -75%, redaction begins	Large-scale evaluation, partner negotiations
Apr 7	Issue blows up, HN 790pt	Project Glasswing announcement

The most suggestive finding in the quality degradation analysis was the time-of-day variation in thinking depth.
After redaction, variance across time-of-day expanded 8.8x,
with depth hitting its lowest during US internet peak hours (17:00, 19:00 PST).
Laurenzo himself identified this pattern as “an infrastructure-level constraint, not a policy-level one” — GPU availability rather than per-user rate limiting.

Reading this alongside Mythos Preview’s existence suggests a hypothesis:
GPU resources may have been prioritized for Mythos Preview’s development and evaluation,
squeezing the compute available for serving Opus 4.6.

Consider the scale of evaluation described in the report.
The OpenBSD bug discovery alone: 1,000 scans costing under $20,000.
Crash testing against the OSS-Fuzz corpus across roughly 1,000 repositories and 7,000 entry points.
Exploit development against all major browsers.
Linux kernel privilege escalation chain construction.
If all of this was running intensively through February and March, the compute consumption would have been substantial.

This is speculation based on circumstantial evidence alone, and Anthropic has offered no such explanation.
Adaptive thinking bugs, default effort level setting changes, redaction effects — multiple independent factors may have contributed to the quality degradation.
Still, maintaining service quality for a public-facing model while running large-scale evaluations that autonomously discover thousands of zero-days, achieve remote root on FreeBSD, and escape browser sandboxes wouldn’t be easy.

If the development of a model “too dangerous to release” came at the cost of a released model’s quality, that would be a different kind of “safety” problem altogether.