Anthropic Glasswing: Claude Mythos Finds 10,000+ Critical Vulnerabilities in 30 Days

Anthropic published an initial update on Project Glasswing on May 22, revealing that Claude Mythos has fundamentally changed the economics of vulnerability research.

The AI system discovered more than 10,000 high-or-critical-severity vulnerabilities across widely used software systems in a single month — a rate that the software industry is not equipped to handle through conventional patching processes.

Notable discoveries:

- CVE-2026-5194: A wolfSSL cryptographic library vulnerability affecting billions of devices worldwide, allowing attackers to forge certificates — discovered and exploited fully autonomously - CVE-2026-4747: A 17-year-old remote code execution vulnerability in FreeBSD allowing root access on machines running NFS - Cloudflare partnership results: approximately 2,000 bugs including 400 high-or-critical severity issues, with 10x improvement in bug discovery rate compared to baseline

The wolfSSL and FreeBSD discoveries affect infrastructure underlying billions of devices and critical systems globally. The 17-year-old RCE vulnerability remaining undiscovered until AI found it demonstrates both the depth of security debt in legacy software and AI's unique capability in vulnerability research.

The practical implication for organizations is architectural redesign, not faster patching. Software systems built on the assumption that vulnerabilities are rare edge cases need to be rethought for a world where AI finds thousands of them in production code every month.

Why It Matters: AI can now identify security flaws faster than organizations can patch them, creating a structural vulnerability queue. This changes security from reactive patching to proactive architectural risk management.