Back to Home

Claude Mythos found a bug in OpenBSD 27 years

Claude Mythos Preview from Anthropic detected thousands of vulnerabilities, including 27-year-old bug in OpenBSD. Model leads in SWE-bench and CyberGym benchmarks. Project Glasswing invests $104M in infrastructure security.

Anthropic AI hacked OpenBSD: 27-year bug
Advertisement 728x90

Claude Mythos Preview Uncovers Vulnerabilities in OpenBSD and Other Systems

Anthropic has launched Project Glasswing — a program for scanning critical infrastructure using the non-public Claude Mythos Preview model. In just weeks of operation, the AI discovered thousands of unknown vulnerabilities in major OSes and browsers. Partners include AWS, Apple, Google, Microsoft, NVIDIA, and more than 40 organizations that gained access to audit their systems.

The model is not being released publicly due to its advanced cyber capabilities. On benchmarks, Mythos Preview outperforms Opus 4.6:

  • SWE-bench Verified: 93.9% vs. 80.8%;
  • Terminal-Bench 2.0: 82% vs. 65.4%;
  • CyberGym: 83.1% vs. 66.6%.

Anthropic plans to refine safety mechanisms in Opus before releasing Mythos-class models.

Google AdInline article slot

27-Year-Old Vulnerability in OpenBSD

In OpenBSD, renowned for its strict security, the model autonomously found a bug that allowed remotely crashing a machine with a simple connection. The vulnerability had existed for 27 years and was patched after discovery.

This demonstrates the effectiveness of AI in analyzing legacy code without human hints. OpenBSD is the gold standard for minimalism and auditing, where such flaws are rare.

Bugs in FFmpeg and Linux Kernel

In FFmpeg, Mythos Preview uncovered a 16-year-old defect in a single line of code that evaded 5 million automated tests. The bug could cause crashes during media processing.

Google AdInline article slot

In the Linux kernel, the AI independently pieced together a vulnerability chain granting a regular user root access. All findings have been patched.

Such chains require deep understanding of component interactions — a task where AI surpasses manual auditing.

Funding and Model Access

Anthropic is allocating $100 million in credits to participants and $4 million for open source security:

Google AdInline article slot
  • $2.5 million — Alpha-Omega and OpenSSF via Linux Foundation;
  • $1.5 million — Apache Software Foundation.

After the preview, Mythos Preview will be available to partners at $25 per million input tokens and $125 per million output tokens via Claude API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry.

The project is named after the Greta oto butterfly with transparent wings — a metaphor for hidden vulnerabilities and the need for transparency.

Key Takeaways

  • Mythos Preview autonomously finds legacy vulnerabilities in OpenBSD (27 years), FFmpeg (16 years), and Linux kernel.
  • Benchmarks: leadership in SWE-bench (93.9%), Terminal-Bench (82%), CyberGym (83.1%).
  • $104 million in investments for infrastructure and open source security.
  • Model integrates into API platforms from AWS, Google, and Microsoft for enterprise auditing.
  • Results report in 90 days.

Prospects for Developers

For mid-level and senior specialists, this is a signal to integrate AI into CI/CD for security scanning. The model excels at:

  • Autonomous fuzzing of legacy code;
  • Assembling exploit chains;
  • Bypassing existing test scenarios.

Project Glasswing focuses on infrastructure where manual auditing can't keep up with the codebase. The expected report will reveal best practices for the industry.

— Editorial Team

Advertisement 728x90

Read Next