Claude Mythos Preview Project Glasswing: Zero-Day AI (2026)

The Vulnerabilities: What Mythos Preview Actually Found

The headline number — thousands of high-severity zero-day vulnerabilities across every major operating system and browser — is the kind of claim that requires concrete examples to be credible. Anthropic provided several, and they are worth examining in detail.

The 27-Year-Old OpenBSD Bug

The oldest vulnerability discovered using Mythos Preview is a critical flaw in OpenBSD’s implementation of SACK (Selective Acknowledgment), a TCP extension that improves performance on unreliable networks. The bug had existed since 1999 — undetected for 27 years in an operating system famous for its security-first design philosophy.

The flaw is technically subtle. OpenBSD compared TCP sequence numbers by calculating (int)(a - b) < 0. This comparison works correctly when the two sequence numbers are within 2^31 of each other. But an attacker could craft a SACK block whose start value sits approximately 2^31 away from the actual receive window. The subtraction overflows the sign bit, the comparison evaluates incorrectly, and the kernel writes to a null pointer — crashing any OpenBSD host that responds over TCP. The vulnerability has since been patched, but it illustrates exactly the class of bug Mythos excels at finding: logically subtle, mathematically precise, invisible to standard static analysis tools, and catastrophic in practice.

The Four-Vulnerability Browser Chain

Perhaps the most technically impressive demonstration is Mythos Preview’s fully autonomous construction of a chained browser exploit. Working without human guidance, the model:

1. Identified four separate vulnerabilities in a major web browser’s rendering engine
2. Wrote a complex JIT heap spray to achieve reliable memory corruption
3. Escaped the renderer sandbox
4. Escaped the OS-level process sandbox
5. Delivered a complete, working end-to-end exploit chain

Prior AI models could occasionally find individual vulnerabilities or assist with known exploit techniques when heavily guided. Autonomously chaining multiple novel vulnerabilities into a full sandbox escape — one of the hardest tasks in offensive security — is a qualitative leap. Elite human exploit developers charge hundreds of thousands of dollars per engagement for this class of work. Mythos Preview does it at inference speed.

FreeBSD NFS Server: Unauthenticated Root

Mythos Preview also autonomously wrote a remote code execution exploit against FreeBSD’s NFS server that granted full root access to unauthenticated network users. The exploit used a 20-gadget return-oriented programming (ROP) chain, split across multiple network packets to bypass size constraints — a technique that requires deep knowledge of the target’s memory layout and execution model. The model produced this exploit without human assistance or pre-existing exploit templates.

Linux: Race Conditions and KASLR Bypass

On Linux, Mythos Preview autonomously obtained local privilege escalation exploits by exploiting subtle race conditions in kernel code and bypassing Kernel Address Space Layout Randomization (KASLR) — a security mitigation specifically designed to make kernel exploitation harder by randomizing memory address layouts at boot time. Successfully defeating KASLR requires either an information leak vulnerability or a timing-based side channel, followed by precise exploitation of the revealed layout. This is graduate-level security research, performed autonomously and repeatedly.

Mythos Preview vs. Claude Opus 4.6: The Capability Cliff

To understand why Project Glasswing exists — and why Anthropic took the unprecedented step of publishing a System Card for a model it won’t release — it helps to quantify the gap between Mythos Preview and the current publicly available model:

• Firefox exploit generation: Mythos Preview 72.4% success rate vs. Opus 4.6’s ~0% (2 successes out of several hundred attempts)
• Firefox exploit count: 181 working Mythos exploits vs. 2 for Opus 4.6 across the same test battery
• Reverse engineering: Mythos Preview can take a closed-source, stripped binary and reconstruct readable source code. Opus 4.6 cannot reliably do this.
• Autonomous exploitation: Mythos develops complete multi-stage exploit chains without human guidance. Opus 4.6 requires significant human direction for anything beyond basic vulnerability classes.

According to Anthropic’s red team assessment, Mythos Preview represents the first publicly documented case of an AI model surpassing all but the most skilled human security researchers on offensive security tasks. This is a phase transition, not a performance improvement. Read our April 2026 benchmark breakdown for context on where the current public frontier sits relative to what Mythos Preview demonstrates.

Why Anthropic Won’t Release It Publicly (Yet)

Anthropic’s decision to withhold Mythos Preview from general availability is unusual in an industry that has largely moved toward broader model release. The company’s reasoning, detailed in the System Card and public statements, centers on two interlocking concerns:

Cybersecurity uplift at scale. A model with a 72.4% success rate at generating working exploits against hardened targets, available to anyone via API, would meaningfully lower the bar for serious cyberattacks. Elite security researchers and nation-state actors already have resources to develop these capabilities independently. The concern is giving equivalent leverage to actors who currently lack the technical expertise. Anthropic estimates that Mythos-class cybersecurity capabilities will become broadly available within 12–24 months as model quality continues to improve industry-wide — making the current window of restricted access a narrow opportunity to patch critical infrastructure before the capability proliferates beyond controlled settings.

CBRN risk assessment. Anthropic’s red team assessed Mythos Preview’s potential to provide uplift to individuals pursuing chemical, biological, radiological, or nuclear harm. Expert evaluators — including virologists, immunologists, and synthetic biologists — rated the model as a “force-multiplier that saves meaningful time” at uplift level 2 of 4 (CB-1 in Anthropic’s framework: meaningful assistance to someone with basic technical knowledge). The combination of cybersecurity capability and CBRN risk crossed the threshold for restricted deployment. Anthropic has stated its intention to make Mythos-class models broadly available once new safeguards are in place, but has declined to provide a timeline.

What This Means for Developers and Security Teams

If you are not one of the 50+ organizations in Project Glasswing, you cannot access Claude Mythos Preview today. But the announcement carries several practical implications for every developer and security team working on production infrastructure:

The attack surface is changing faster than patching cycles. The vulnerabilities Mythos found — including bugs undetected for 27 years in security-hardened software — were not waiting for an AI to be discoverable. They were always there. The question is whether defenders or attackers find them first. Project Glasswing represents a structured attempt to institutionalize the defender-first advantage before equivalent capability becomes widely accessible. The race is already running.

Open-source infrastructure carries the highest-risk exposure. Mythos Preview’s demonstrated results on OpenBSD, FreeBSD, and Linux — and the Linux Foundation’s inclusion as a founding Glasswing partner — signals where the highest-impact vulnerabilities are concentrated. Code that is widely deployed, freely inspectable, and maintained by distributed volunteer communities is exactly the attack surface where a model capable of autonomous vulnerability research provides the most leverage to an attacker. If your production stack depends on open-source infrastructure (and almost every production system does), the Glasswing findings have direct implications for your threat model and patching prioritization.

AI-assisted security tooling is no longer optional. The gap between Mythos Preview and current public models suggests that within 12–24 months, models with significantly elevated offensive security capabilities will be broadly accessible. Security teams not already building AI-assisted vulnerability scanning into their workflows will be operating at a structural disadvantage against attackers who are. For developers building on or around critical infrastructure, the question is not whether to adopt AI security tooling — it is how quickly to do so. Use our free meta tag analyzer and related developer tools to audit your web properties’ security posture as AI-powered scanning grows more capable.

The restricted-access model may become standard for frontier capabilities. Anthropic’s approach with Project Glasswing — building a tiered access structure, requiring organizational vetting, mandating finding-sharing, and publishing a System Card without releasing the model — is a new template for how capability-safety tradeoffs might be managed at the AI frontier. Developers building AI-powered applications should watch Glasswing’s evolution: the structured partnership model, the tiered access by infrastructure criticality, and the mandatory disclosure requirements are all likely to influence how other frontier labs handle future releases that exceed existing safety thresholds.

The Defender’s Window Is Short

Project Glasswing is built on an explicit race-against-time premise: that the capability demonstrated by Mythos Preview will proliferate across the AI industry within one to two years, at which point any actor — not just vetted partners — could access similar offensive capability via a frontier model API. The window in which only defenders have access to this level of AI-powered security research is, by Anthropic’s own estimate, measured in months rather than years.

Whether the patching head start Project Glasswing provides will be sufficient depends on how quickly partners can triage, prioritize, and deploy fixes across the systems Mythos has scanned. The OpenBSD bug, undetected for 27 years, was patched within days of discovery. If that same velocity applies broadly, the program may achieve its goal of meaningfully hardening critical infrastructure before the capability window closes. If bureaucratic patching cycles and coordination failures slow deployment of fixes, the defender advantage narrows.

For the broader AI and security community, Claude Mythos Preview and Project Glasswing mark the clearest demonstration to date that frontier AI capabilities have entered territory where the industry cannot simply ship and iterate. The capability is real, the risk is documented by Anthropic’s own red team, and the window for proactive defense is open — but not indefinitely.

Conclusion

Claude Mythos Preview is Anthropic’s most powerful model, withheld from public release because its cybersecurity capabilities are demonstrably dangerous at scale. Project Glasswing is the structured attempt to use those capabilities for defense before they proliferate to all actors. The specific findings — a 27-year-old OpenBSD kernel crash, a four-vulnerability browser sandbox escape, unauthenticated FreeBSD root access, a 72.4% Firefox exploit success rate — are concrete demonstrations of a threshold the AI industry crossed in April 2026. Security teams, developers, and organizations that depend on critical infrastructure have a narrow window to accelerate patching, adopt AI-assisted security tooling, and build the operational posture that the post-Mythos threat landscape will require. Browse our developer tools collection for security-focused integration templates and API starter kits built for AI-assisted development workflows.