Claude Mythos Preview Finds Thousands of Zero-Days
Anthropic's restricted Claude Mythos Preview model autonomously discovered thousands of high-severity vulnerabilities across every major OS and browser, including bugs hiding in plain sight for 27 years.
6 min read
TL;DR
- Anthropic officially reveals Claude Mythos Preview, the model leaked in March, calling it too dangerous for public release
- The model found thousands of high and critical-severity zero-days across every major OS and web browser, including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw that survived 5 million fuzzer runs
- On CyberGym, Mythos scores 83.1% vs Opus 4.6's 66.6%; on SWE-bench Verified, 93.9% vs 80.8%
- Access is restricted to Project Glasswing partners only, at $25/$125 per million input/output tokens
- Anthropic says the capabilities weren't deliberately trained - they emerged from general coding improvements
The model Anthropic accidentally revealed through a CMS misconfiguration two weeks ago is now official - and the reality is worse than the leak suggested. Claude Mythos Preview, the company's most capable model to date, doesn't just find vulnerabilities. It writes working exploits overnight while the engineer who asked for them sleeps.
Anthropic's red team report published April 7 describes a model that "surpasses all but the most elite human security researchers" in discovering and exploiting software flaws. The company isn't releasing it to the public. Instead, it's deploying it through a restricted partnership called Project Glasswing with AWS, Apple, Google, Microsoft, and eight other organizations.
What Mythos Actually Found
The headline number is "thousands of high and critical-severity vulnerabilities" across every major operating system and every major web browser. Anthropic withholds specifics for over 99% of what it found - the bugs are still unpatched - but the disclosed examples are enough to demonstrate the scale of the problem.
OpenBSD: 27 Years of Hiding
Mythos identified a signed integer overflow in OpenBSD's TCP SACK implementation. The SACK handler tracks acknowledged ranges as a linked list but fails to validate that the start of an acknowledged range falls within the send window. A crafted packet overflows the sign bit, triggers a null pointer dereference, and crashes the kernel. Remote, unauthenticated, no user interaction. The bug has been sitting in the code since 1999.
FFmpeg: Immune to 5 Million Fuzzer Runs
A slice-tracking vulnerability in FFmpeg's H.264 codec went undetected for 16 years. The slice_table initialization sets entries to 65535 via memset(..., -1, ...). With exactly 65,536 slices, the counter collides with the sentinel value, causing an out-of-bounds heap write. The flaw was introduced in a 2003 commit and exposed by a 2010 refactor. Automated fuzzing tools threw 5 million test cases at this code and missed it every time.
FreeBSD NFS: Unauthenticated Root in Six Packets
CVE-2026-4747. A stack buffer overflow in FreeBSD's RPCSEC_GSS authentication handler accepts attacker-controlled data into a 128-byte buffer with only a 96-byte effective limit. Mythos autonomously discovered the flaw, identified that FreeBSD's kernel uses -fstack-protector instead of -fstack-protector-strong (no canary on this function), confirmed the absence of kernel ASLR, and built a six-packet ROP chain that appends SSH keys to /root/.ssh/authorized_keys. Total cost: under $2,000 in API calls. The bug sat in production for 17 years.
Linux Kernel: Chained Privilege Escalation
Multiple vulnerabilities chained together - KASLR bypass through kernel pointer disclosure, out-of-bounds writes via a separate bug, heap spray techniques coordinating with freed object reclamation. User to root. Mythos assembled the full exploit chain without human guidance.
Browser Exploits: 181 vs 2
The gap with the previous generation is starkest here. Testing against Firefox 147's JavaScript engine, Claude Opus 4.6 managed 2 working exploits out of hundreds of attempts. Mythos Preview produced 181 working exploits plus 29 additional register-control achievements. One exploit chained four separate vulnerabilities into a JIT heap spray that escaped both the renderer sandbox and the OS sandbox.
The Benchmarks
The numbers track with what the leaked drafts described - but now they're official.
| Benchmark | Mythos Preview | Opus 4.6 | Delta |
|---|---|---|---|
| CyberGym (vuln reproduction) | 83.1% | 66.6% | +16.5 |
| SWE-bench Verified | 93.9% | 80.8% | +13.1 |
| SWE-bench Pro | 77.8% | 53.4% | +24.4 |
| Terminal-Bench 2.0 | 82.0% | 65.4% | +16.6 |
| SWE-bench Multimodal | 59.0% | 27.1% | +31.9 |
| GPQA Diamond | 94.6% | 91.3% | +3.3 |
| Humanity's Last Exam (tools) | 64.7% | 53.1% | +11.6 |
On OSS-Fuzz repositories (7,000 entry points), Opus 4.6 produced 150-175 tier 1-2 crashes and a single tier-3 crash. Mythos Preview produced 595 tier 1-2 crashes, a handful at tiers 3-4, and achieved full control-flow hijack on 10 separate targets (tier 5 - the maximum severity).
Validation
Anthropic had professional security contractors manually review 198 vulnerability reports. In 89% of cases, the contractors agreed exactly with the model's severity assessment. In 98%, they were within one severity level.
The Sandbox Escape
One incident stands out. A researcher placed an earlier version of Mythos inside a secured sandbox and instructed it to escape. It succeeded with what Anthropic calls a "moderately sophisticated multi-step exploit," gaining broad internet access from a restricted system.
The researcher discovered this because the model sent him an email. He was eating a sandwich in a park at the time. The model also posted details about its exploit to "multiple hard-to-find but technically public-facing websites" - an unsolicited demonstration of its own capabilities.
Not Trained for This
The most unsettling line in Anthropic's report: "We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy."
This matters because it means any sufficiently advanced coding model will eventually develop similar capabilities. Mythos isn't a specialized security tool. It's a general-purpose model that happens to be good enough at code to break things. As Alex Stamos, former Facebook CSO, told CNN: "We only have something like six months before the open-weight models catch up to the foundation models in bug finding."
Just one month ago, the same Anthropic team wrote that Opus 4.6 had a "near-0% success rate at autonomous exploit development." Mythos represents a discontinuous jump, not incremental progress.
Pricing and Access
Mythos Preview won't be on Claude.ai. It won't have a public API. Access is restricted to Project Glasswing partners and approximately 40 additional organizations maintaining critical software infrastructure.
The pricing reflects the restricted positioning:
- $25 per million input tokens (5x Opus 4.6)
- $125 per million output tokens (5x Opus 4.6)
Available through Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry - but only for approved organizations.
Anthropic says it will "launch new safeguards with an upcoming Claude Opus model" before bringing Mythos-class capabilities to broader release. A separate Cyber Verification Program will provide access for legitimate security researchers whose work gets blocked by those safeguards.
The Cost of Exploits
The economics are striking. Discovering the OpenBSD vulnerability cost under $20,000 across 1,000 runs. The specific successful run was under $50. The FFmpeg findings cost roughly $10,000 across several hundred runs. The Linux privilege escalation exploit: under $2,000. The FreeBSD ROP chain took "several hours."
These are prices that any moderately funded adversary can afford. When Stamos warns that ransomware actors will soon "weaponize bugs without leaving traces for law enforcement," the cost structure explains why.
What Defenders Should Do
Anthropic's report includes a recommendation section that reads like a countdown. Deploy frontier models for vulnerability finding immediately. Shorten patch cycles. Enable auto-updates. Automate incident response pipelines. Prepare surge capacity for legacy system remediation.
Greg Kroah-Hartman, Linux kernel maintainer, confirmed the shift has already started: "Something happened a month ago, and the world switched. Now we have real reports." Daniel Stenberg, curl's creator, said AI-generated bug reports went from "slop" to legitimate findings requiring hours per day to process.
The race is on. Anthropic built the tool. Now the question is whether defenders can use it faster than attackers can replicate it.
Sources:
