Anthropic has announced the initial results of testing its preliminary version of the Mythos AI model, which significantly expands its capabilities for finding bugs, identifying vulnerabilities, and writing ready-made exploits. Using the Mythos AI model, Anthropic scanned over a thousand important open-source projects, identifying 23019 vulnerabilities. 6202 of these vulnerabilities were rated as high or critical.
Of the 6202 vulnerabilities classified as dangerous by the Mythos AI model, 1752 were verified by independent security researchers. In 1587 cases (90.6%), the vulnerability was confirmed, and in 1094 cases (62.4%), the severity level remained high or critical. Given the current false positive rate, it is expected that of the 6202 dangerous vulnerabilities identified by the AI model, approximately 3900 (62.4%) will retain the model's high severity rating, not including the dangerous vulnerabilities identified separately by 50 Glasswing project participants.
Information on 467 verified vulnerabilities was shared with open source project maintainers by representatives of the reviewing companies. Upon separate requests, Anthropic employees directly shared information on 1129 unverified issues with maintainers. In total, maintainers of 281 open source projects received information on 1596 issues and confirmed the presence of 1451 vulnerabilities. However, only 97 issues have been fixed in the codebases so far, and 88 public vulnerability reports have been issued.
Furthermore, 50 Glasswing project participants who were given early access to the Mythos model reportedly identified over 10 dangerous vulnerabilities in their codebases. For example, Cloudflare found over 2000 bugs using Mythos, 400 of which were rated as high and critical. Cloudflare's false positive rate was lower than that of human testing. Mozilla, when testing Firefox 150, found 271 vulnerabilities using Mythos, which is 10 times more than the number found when testing Firefox 148 using the Claude Opus 4.6 model.
An example of a critical issue that has already been fixed is given:
vulnerability (CVE-2026-5194) in the wolfSSL cryptographic library. Mythos was able to prepare an exploit that allows an attacker to generate a fake ECDSA certificate for websites and email accounts. servers, which was processed as valid when verified by the wolfSSL library. The issue was caused by a missing hash size and OID check in the code, which allowed a smaller-than-permissible hash size to be specified in the certificate.
Source: opennet.ru
