Anthropic Glasswing: 10,000+ Critical Vulnerabilities Found in 30 Days

Anthropic published an initial update on Project Glasswing on May 22, reporting that Claude Mythos has discovered more than 10,000 high-or-critical-severity vulnerabilities across widely used software systems in a single month.

Notable discoveries:

• CVE-2026-5194: A vulnerability in wolfSSL (an open-source cryptographic library used by billions of devices worldwide) that allows an attacker to forge certificates — discovered and exploited fully autonomously without human guidance

• CVE-2026-4747: A 17-year-old remote code execution vulnerability in FreeBSD that allows root access on machines running NFS — demonstrating AI vulnerability research is uncovering flaws human researchers missed for nearly two decades

• Cloudflare reported finding roughly 2,000 bugs including 400 high-or-critical severity issues through Glasswing participation

• Partner organizations reported 10x improvement in bug discovery rate compared to baseline, with fewer false positives than conventional human-led testing

The finding rate — 10,000+ critical vulnerabilities in 30 days — is not a cybersecurity benchmark improvement. It is a fundamental change in the economics and scale of vulnerability research. The software industry is not equipped to patch vulnerabilities at this discovery rate, creating a structural security debt that will grow faster than it can be cleared.

Why It Matters: The wolfSSL and FreeBSD discoveries affect infrastructure underlying billions of devices globally. Organizations running these systems should treat both findings as critical remediation items immediately.