Anthropic Glasswing: Claude Mythos Finds 10,000+ Critical Vulnerabilities in 30 Days
View original source →Anthropic published an initial update on Project Glasswing on May 22, reporting that Claude Mythos has discovered more than 10,000 high-or-critical-severity vulnerabilities across widely used software systems in a single month.
The scale and speed fundamentally changes the economics of vulnerability research — and creates a security debt that will grow faster than it can be cleared.
Key points:
• Claude Mythos fully autonomously identified CVE-2026-5194, a wolfSSL cryptographic library vulnerability allowing certificate forgery — wolfSSL is used by billions of devices worldwide
• Mythos independently found CVE-2026-4747, a 17-year-old FreeBSD remote code execution vulnerability allowing root access on machines running NFS
• Cloudflare reported finding roughly 2,000 bugs including 400 high-or-critical issues through Glasswing participation, with greater than 10x improvement in bug discovery rate
• Fewer false positives than conventional human-led testing
The 17-year-old FreeBSD discovery demonstrates that AI vulnerability research is uncovering flaws in foundational infrastructure that human researchers missed for nearly two decades.
The finding rate is not a cybersecurity benchmark improvement — it is a fundamental change in scale. The software industry is not equipped to patch vulnerabilities at this discovery rate.
Why It Matters: Every production system in use today was built before AI-scale vulnerability scanning existed. The appropriate response is architectural redesign, not faster patching. Security leaders should prioritize wolfSSL and FreeBSD remediation immediately.