By ByteBot
On May 18, Cloudflare published its findings from Project Glasswing—Anthropic’s coordinated program giving vetted partners access to Claude Mythos Preview, a security-specialized AI that produced 181 working Firefox exploits on the same benchmark set where its predecessor managed two. Across every major operating system and browser, Mythos has catalogued over 1,000 high-severity zero-day vulnerabilities. More than 99% remain unpatched. A critical patch wave spanning Firefox, Chrome, Linux distributions, OpenSSL, and FFmpeg is expected to land between late May and mid-July 2026. The race has started, and most developers don’t know it yet.
The Benchmark Numbers Make Mythos Real
Claude Opus 4.6, the predecessor model, produced two successful Firefox exploits in Anthropic’s test set. Claude Mythos Preview produced 181 working exploits plus 29 achieving register control on identical benchmarks. That’s not a scaling improvement—it’s a categorical capability change that Anthropic’s red team describes as arising “not through explicit training but as a downstream consequence of general improvements in code, reasoning, and autonomy.”
The specific bugs found underscore why this matters. Mythos identified a 27-year-old flaw in OpenBSD’s TCP SACK implementation enabling remote crashes through a simple connection. It found a 16-year-old vulnerability in FFmpeg that survived five million automated fuzzing attempts. In the Linux kernel, it chained multiple flaws together to achieve privilege escalation. Firefox alone yielded 271 zero-days, all fixed in Firefox 150. As Cloudflare concluded: “The jump from what was possible with previous general-purpose frontier models to what Mythos Preview does is not just a refinement of what came before—it’s a different kind of tool doing a different kind of work.”
The uncomfortable implication for developers: security coverage assumptions built around fuzzing and automated testing no longer hold. If a 16-year-old bug survived five million test attempts and an AI found it in a session, your tooling has gaps you haven’t accounted for.
Related: AI Bug Reports Broke Linux’s Security List, Says Torvalds
Project Glasswing: Twelve Companies, Forty-Plus Partners, No Public Access
Project Glasswing brings together 12 launch partners—AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic—plus 40 additional organizations maintaining critical software infrastructure. Anthropic committed $100 million in model usage credits, $2.5 million to Alpha-Omega and OpenSSF, and $1.5 million to the Apache Software Foundation. If you’re not on that list, you don’t have access to Mythos Preview. A Cyber Verification Program exists for security professionals with legitimate research needs, but general availability isn’t here yet.
Critics have pushed back on the structure. The arrangement concentrates enormous offensive capability inside a small group of the world’s largest technology companies with their own commercial interests—without public debate or independent oversight. That concern is legitimate. However, Cloudflare’s own testing revealed a practical limitation worth understanding: even with full access, Mythos can cover approximately 0.1% of a 100,000-line codebase per session before the context window fills. Real-scale deployment requires orchestration, not just model access. “Pointing a generic coding agent at a repo doesn’t work,” Cloudflare concluded.
The Patch Race Has Already Started
Anthropic’s coordinated disclosure timeline—90 days plus a 45-day extension—means the first wave of critical patches is hitting right now. Firefox 150 already shipped with 271 fixes. Chrome, Linux distributions, FreeBSD, OpenSSL, and FFmpeg are next, expected through mid-July. Bruce Schneier captured the conditional nature of the situation precisely: “Assuming the defenders can patch, and push those patches out to users quickly, this technology favors the defenders.” That “assuming” carries all the weight.
Open-source maintainers without dedicated security resources are the ecosystem’s chokepoint. When Mythos scanning generates thousands of high-severity CVE reports across critical open-source projects, the triage and remediation burden falls on maintainers who often work nights and weekends without pay. Mozilla reprioritized its entire security team to address the Firefox findings. Smaller projects won’t have that option. The patch-cycle advantage Glasswing promises only materializes if the full chain—detection, triage, patch, deployment—moves faster than attackers can act.
What Developers Should Do This Week
Most developers will not get Mythos access. That doesn’t mean doing nothing. Three actions matter right now: First, enable automated patching for OS, browser, and library dependencies—the next 60 days will bring an unusually dense concentration of critical security patches, and letting them queue is the practical failure mode. Second, start using current frontier models for preliminary security scanning. Anthropic explicitly recommends this: you don’t need Mythos to find significant issues with Claude Opus 4.6 or GPT-4o. The capability floor has risen enough to be useful. Third, stop relying on fuzzing coverage as a security proxy.
For teams starting structured AI-assisted security review, Cloudflare’s methodology is the most practical public guidance available: run many narrow, parallel sessions focused on specific components rather than attempting full-repo coverage. Include architecture context. Add an adversarial validation stage to reduce false positives—particularly in C and C++ codebases, where noise rates run highest. The Mozilla team’s response to Firefox 150 is the clearest playbook: reprioritize, patch fast, don’t wait for perfect tooling.
Key Takeaways
- Claude Mythos Preview found 1,000+ high-severity zero-days across every major OS and browser—271 in Firefox alone, fixed in Firefox 150—with 99% of total findings still unpatched and a critical patch wave expected through mid-July 2026
- The 181-versus-2 Firefox exploit benchmark is not marketing: it reflects a categorical capability jump that makes fuzzing-based coverage assumptions unreliable
- Project Glasswing restricts Mythos access to 12 launch partners and 40+ vetted organizations; current frontier models are the practical alternative for everyone else, and Anthropic recommends starting now
- Apply patches aggressively in the coming 60 days—the defender advantage Glasswing promises only exists if your patch pipeline moves faster than attackers can act on disclosed information
- Open-source maintainers face a triage burden without resources—the real bottleneck in the ecosystem isn’t the AI, it’s the human patch-and-fix chain
