Anthropic's Claude Mythos AI Exposes Thousands of Unpatched Zero-Days Across All Major OS & Browsers

Anthropic has triggered a critical security alert by launching its restricted Claude Mythos Preview model, internally codenamed Project Glasswing. During internal testing, the AI autonomously identified and exploited zero-day vulnerabilities in every major operating system and web browser. Its most alarming discovery is a 17-year-old remote code execution flaw in FreeBSD (CVE-2026-4747, CVSS critical), which allows unauthenticated root access via NFS from anywhere on the internet. More than 99% of the vulnerabilities it found remain unpatched, creating a massive, immediate exposure for global digital infrastructure.

The model's offensive capabilities are so potent that Anthropic has explicitly denied public access. Instead, it has granted exclusive, restricted access to a consortium of tech and finance giants, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. This selective distribution creates a stark power imbalance, concentrating unprecedented offensive security intelligence in the hands of a few elite corporations and their security partners.

The incident marks the first time an AI has autonomously discovered vulnerabilities at this scale and severity. It fundamentally alters the threat landscape, demonstrating that advanced AI can now systematically map and weaponize systemic software flaws faster than they can be patched. The concentration of this capability within a private consortium, rather than a coordinated public disclosure process, raises profound questions about market fairness, defensive readiness, and who controls the most powerful tools in the next generation of cyber conflict.