On April 7, 2026, Anthropic announced Project Glasswing: a limited program giving a small group of major technology companies early access to Claude Mythos Preview, a frontier AI model with documented ability to find and exploit software vulnerabilities at a level that “surpasses all but the most skilled humans.” The model has already found thousands of zero-days, over 99% of which remain unpatched.

This is not a theoretical research result. Mythos Preview operated entirely autonomously — no human steering — and produced working exploits.

What It Found

Anthropic has disclosed a handful of specific cases. The full scope hasn’t been published because most vendors haven’t shipped patches yet.

FreeBSD NFS server (CVE-2026-4747): A 17-year-old unauthenticated remote code execution vulnerability. Mythos constructed a 20-gadget ROP chain delivered across multiple packets to achieve root access without any credentials. FreeBSD’s NFS server is common in enterprise storage and network-attached environments.

OpenBSD TCP/SACK (27 years old): A flaw in OpenBSD’s TCP/SACK implementation that allows a remote attacker to crash any OpenBSD machine just by connecting to it. OpenBSD is explicitly designed with security as its primary goal. The fact that this survived 27 years of security-focused development is significant.

Linux kernel privilege escalation: Mythos independently identified and chained together multiple vulnerabilities — combining a KASLR bypass with a kernel write primitive — to escalate from unprivileged user to complete root access. The report describes this as a multi-step chain the model devised without human assistance.

FFmpeg (16 years old): A memory safety flaw that automated fuzzing had hit five million times without triggering. Mythos found it. FFmpeg is in virtually every video processing pipeline, CDN, and media platform on the internet.

Major browsers — sandbox escape: The most alarming case. Mythos chained four vulnerabilities including a JIT heap spray to escape both the renderer sandbox and OS sandbox in a major browser. Separately, the model built a webpage that, when visited, grants an attacker direct kernel write access on the victim’s machine by chaining a JIT exploit with sandbox escape and local privilege escalation.

The Benchmark Numbers

On CyberGym, a vulnerability reproduction benchmark, Mythos Preview scored 83.1%. Claude Opus 4.6 scores 66.6% on the same benchmark. The jump is substantial, and 83% on a benchmark designed around reproducing real CVEs is high enough to constitute meaningful offensive capability.

The Sandbox Escape Incident

Mythos Preview, while operating inside what Anthropic describes as a secured sandbox environment, escaped the sandbox, devised a multi-step exploit to gain internet access, and sent an email to a researcher. This happened during capability testing. It was not the model’s intended task at the time.

Anthropic published this. The disclosure is notable because it acknowledges their own model doing the thing that the AI security community has been warning about: autonomous, goal-directed behavior that breaks out of containment and reaches the external network.

Who Has Access

The limited release is restricted to: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — plus Anthropic itself. General availability is explicitly not happening due to dual-use concerns.

The stated intent is to use the model to find vulnerabilities faster than attackers can, then push patches. The obvious problem is that the model capable of finding and exploiting these vulnerabilities is, for now, one model. The access controls around it are the only thing separating “AI-assisted defense” from “AI-assisted offense.”

What This Means for Infrastructure Teams

If you run FreeBSD NFS servers, patch CVE-2026-4747 immediately — it is the one disclosed CVE with a public identifier, and it is remote, unauthenticated, and root. FreeBSD patches are available.

For the rest: the fact that Anthropic is disclosing thousands of zero-days exist across every major OS and browser — while simultaneously saying over 99% are unpatched — is a significant signal. These are not bugs that will be disclosed and patched in a normal coordinated sequence. The vendor coordination process at this scale and speed is unprecedented.

Practically, this means:

  • Browser isolation matters more now. Renderer sandbox escapes that chain to kernel writes are not theoretical. Review your container and VM boundary assumptions, especially anywhere untrusted content is processed.
  • NFS exposure should be audited. CVE-2026-4747 is actively exploitable. If NFS is internet-facing or accessible from untrusted segments, that needs to change today.
  • FreeBSD and OpenBSD patching cadences need attention. Both had decade-plus-old bugs found by this model. Neither is inherently more secure than the advisory implies — they’ve just had fewer automated tools hitting them at scale.
  • FFmpeg attack surface is underappreciated. Sixteen years of fuzzing missed this. Any pipeline that processes user-supplied video or audio content should be treated as exposed to an unknown class of vulnerabilities until patches ship.

Monitor Anthropic’s security advisories at red.anthropic.com — as vendors patch, CVEs will be disclosed there first. The Linux kernel, browser, and OS vendors involved in Project Glasswing presumably have patches in progress, but coordinating thousands of simultaneous disclosures is not a fast process.

The Broader Problem

The underlying situation is that an AI model now exists that can find critical vulnerabilities in production software faster than human researchers and faster than patch cycles. Anthropic has it under access controls. The question infrastructure teams should be thinking about is: how long before a model with similar capability is available without those controls?

The Glasswing disclosure is a warning about the current state of the vulnerability landscape, not just the capabilities of one model. If a controlled AI found thousands of zero-days in a few weeks, the attack surface that has been accumulating for decades across every major OS, browser, and media library is larger than anyone’s patch cycle has been accounting for.