Claude Mythos Found Your Zero-Days. Here Is What to Patch Now.

Anthropic's Claude Mythos Preview — the model that will not be released publicly because it is too dangerous — found thousands of zero-day vulnerabilities across every major operating system and browser. Autonomously. In weeks. More than 99% of those vulnerabilities are not yet patched.

This is not a future-state concern. The FreeBSD RCE it found (CVE-2026-4747) sat in production codebases for 17 years. The OpenBSD crash bug had been there for 27 years. These are not edge cases in obscure software. FreeBSD powers Netflix's content delivery infrastructure. OpenBSD is the default choice for security-conscious deployments precisely because people assumed it was audited. FFmpeg processes video in virtually every media application on the internet.

The question is not whether AI will find your zero-days. It already did. The question is whether a defender found them first or whether an attacker will.

The Specific Vulnerabilities Mythos Found

These are the disclosed cases from Project Glasswing's coordinated disclosure pipeline:

CVE-2026-4747 — FreeBSD NFS Remote Code Execution (17 years old)

An unauthenticated remote code execution vulnerability in FreeBSD's NFS implementation. Any machine running NFS with a network-accessible mount point is potentially exploitable. An attacker can gain root access without credentials. FreeBSD powers Netflix, WhatsApp's infrastructure components, PlayStation operating system, and a significant share of high-performance network appliances. The patch was released under coordinated disclosure — update FreeBSD immediately if NFS is exposed.

OpenBSD Remote Crash Bug (27 years old)

An unauthenticated crash vulnerability in OpenBSD that allows any remote attacker to crash any OpenBSD server. OpenBSD is widely used for firewalls, VPN gateways, and security-hardened deployments specifically because of its reputation for thorough code auditing. A 27-year-old crash bug in OpenBSD is the cybersecurity equivalent of finding a structural flaw in a bank vault. The disclosure has been filed; patch details pending vendor release.

FFmpeg Memory Vulnerability

A memory corruption vulnerability in FFmpeg — the open-source multimedia framework used in virtually every video processing application, browser, streaming platform, and media tool. FFmpeg is in your phone, your video conferencing app, your browser, and your content delivery pipeline. Memory corruption vulnerabilities in FFmpeg are historically among the most exploited categories because of the library's universal deployment. Patch status: under coordinated disclosure.

Linux Kernel Privilege Escalation Chain

A chain of vulnerabilities that together allow local privilege escalation on Linux systems. Local privilege escalation is a critical category because it converts a low-privilege foothold (a compromised web application, a phishing payload running as a user) into full root access. The Linux kernel privilege escalation chain was also autonomously discovered by Mythos. Patch pending kernel maintainer release.

What "Autonomously" Means Here

The distinction that makes Mythos's findings significant is not that it found vulnerabilities — security researchers find vulnerabilities regularly. It is that it found them autonomously, at scale, across the entire major software stack, in weeks.

Traditional vulnerability research is constrained by human attention and time. A skilled security researcher might audit one component deeply over weeks. Mythos can audit hundreds of components simultaneously, systematically, with no attention span limits. The 17-year-old FreeBSD bug was not found earlier because no human researcher ever had sufficient reason to spend enough time auditing that specific NFS code path. Mythos does not have that constraint.

The SWE-bench score — 93.9% — is the benchmark number. For context: the best human software engineers score in the 40-60% range on SWE-bench tasks. Mythos at 93.9% is operating at roughly double the median expert human level on software engineering tasks. When that capability is directed at finding bugs rather than fixing them, the discovery rate scales accordingly.

The implication is direct: every codebase written predominantly in C or C++ before 2015 is now suspect in a way it was not six months ago. Not because the bugs are new — they have always been there. But because the tool that can find them systematically now exists.

What Every Developer Must Do Right Now

Step 1: Patch the disclosed CVEs immediately.

• FreeBSD users: Apply the CVE-2026-4747 patch. If you are running NFS-exposed FreeBSD systems — content delivery, network appliances, BSD-based hypervisors — treat this as a critical emergency patch. Unauthenticated root access means perimeter exposure is sufficient for exploitation.
• OpenBSD users: Monitor OpenBSD's errata page. The crash vulnerability disclosure is pending. Until patched, review whether your OpenBSD-based firewalls and gateways have unnecessary network exposure.
• FFmpeg users: Check FFmpeg version and apply security patches. If you are processing untrusted user-submitted video or media content through FFmpeg, assess whether the vulnerability is in your processing path.
• Linux users: Monitor kernel security announcements. The privilege escalation chain will come through the kernel security mailing list. Subscribe to [email protected] if you are not already.

Step 2: Audit your C/C++ dependency tree.

The four disclosed vulnerabilities are representative, not exhaustive. Thousands more are in the coordinated disclosure pipeline. If your application stack has dependencies on:

• Any C/C++ library with network exposure
• Media processing libraries (not just FFmpeg — libpng, libxml2, libjpeg)
• Kernel modules with user-controllable input paths
• Any OpenBSD or FreeBSD components

Run your dependency audit now, before the full disclosure list becomes public. Coordinated disclosure means vendors get advance notice before public release — you are in the window between "Anthropic found it" and "attackers know about it."

Step 3: Stop assuming age equals security.

The 17-year-old FreeBSD bug and 27-year-old OpenBSD bug demolish the security community assumption that widely-used, mature code is thoroughly audited. That assumption was always probabilistic — it held because the number of human auditors was limited and the number of codebases was large. Mythos invalidates the probabilistic calculation entirely. Old code is not more secure because it is old. It is more dangerous because it has had longer to accumulate unaudited paths.

Step 4: Implement network segmentation for NFS and legacy protocols.

CVE-2026-4747's attack vector is NFS — a protocol that should never be exposed to untrusted networks. If you have NFS mounts accessible from anything other than explicitly trusted internal IPs, close that exposure immediately, regardless of whether you have patched. The principle applies broadly: legacy protocols (NFS, SMB, RPC over TCP) running on internal networks with broad access are your highest-risk surface until the full disclosure list is published.

The Threat Model Has Changed Permanently

Project Glasswing's structure — restricted access, 11 enterprise partners, $100M in defensive usage — is Anthropic's acknowledgment that they have created something that cannot be safely released to the open internet. The 11 partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, Nvidia, Palo Alto Networks) are the most significant cybersecurity ecosystem stakeholders on the planet. Even with that coalition, Anthropic donated $4M to open-source security organisations specifically because most of the software that Mythos found vulnerabilities in is maintained by underfunded open-source developers.

The threat model shift: attackers who obtain access to a Mythos-equivalent model — through a different AI lab releasing a less restricted model, through model theft, or through a state-level adversary developing comparable capability — can conduct the same autonomous zero-day discovery at scale. The defensive advantage Project Glasswing provides exists only while the offensive capability remains restricted.

State actors (China, Russia, North Korea, Iran) are all actively investing in offensive AI for vulnerability discovery. The assumption that Mythos-level capability is exclusively in Anthropic's hands is probably true today. It may not be true in 12-18 months. The coordinated disclosure pipeline that Project Glasswing is running now — patching the thousands of vulnerabilities Mythos found before those state actors develop the same capability — is a race with a deadline.

What AI-Assisted Vulnerability Discovery Means for Your Security Posture

For teams running legacy C/C++ codebases in production:

Schedule a review of your highest-risk components — anything with network exposure, file parsing, or media processing. Budget for this in Q2 2026. The alternative is discovering the vulnerability from your incident response team after exploitation.

For teams evaluating security tooling:

AI-assisted static analysis tools that use models comparable to Claude 3.7 Sonnet are now commercially available (Snyk DeepCode, GitHub Advanced Security, Semgrep). None of these are Mythos-level — they are much less capable. But they are catching vulnerability classes that traditional SAST tools miss. Layer them into your CI pipeline now, before Mythos-level capabilities become commercially available or adversarially deployed.

For infrastructure teams relying on FreeBSD or OpenBSD:

Patch CVE-2026-4747 immediately. Treat the forthcoming OpenBSD disclosure as a tier-1 emergency patch when it drops. These operating systems are used specifically in high-security contexts — firewalls, network appliances, content delivery. A root access vulnerability in your security perimeter is the worst-case scenario.

Key Takeaways

• Claude Mythos autonomously found CVE-2026-4747 — a 17-year-old unauthenticated root RCE in FreeBSD NFS, affecting Netflix CDN, PlayStation, and network appliances; patch immediately if you run exposed NFS
• 27-year-old OpenBSD crash bug — unauthenticated remote crash of any OpenBSD server; disclosure pending; monitor errata.openbsd.org
• FFmpeg memory vulnerability and Linux kernel privilege escalation chain — both under coordinated disclosure; patch when released; FFmpeg is in virtually every media processing pipeline
• 99%+ of Mythos's findings are unpatched — the full coordinated disclosure list has not been published; you are in the window between discovery and public exposure
• The threat model has changed: autonomous AI vulnerability discovery at Mythos-level capability renders the "old code is audited code" assumption false; every C/C++ codebase with network exposure needs a fresh audit
• State actors are developing the same capability — Project Glasswing's defensive advantage is time-limited; the race to patch before adversarial AI discovers the same bugs is running now

For the full Project Glasswing announcement and model capabilities, read Project Glasswing: Claude Mythos found zero-days in every major OS. Compare current AI model capabilities and pricing with LLM API Pricing. For the developer job market context as AI security capabilities grow, read where the tech jobs went after the AI hiring wave.