Three Historic Vulnerabilities: Mythos Cybersecurity Capabilities in Detail

TL;DR: Anthropic’s red team blog and System Card document three vulnerability discoveries that redefine what AI can do in offensive security. A 27-year-old OpenBSD kernel bug. A 16-year-old FFmpeg decoder flaw that survived 5 million fuzzer runs. A 17-year-old FreeBSD NFS zero-day exploited fully autonomously for remote root. Total cost for the OpenBSD scan: under $20,000. Anthropic’s own engineers called it “another GPT-3 moment.”

The Scale of Discovery

Before examining individual cases, the aggregate numbers set the context.

Opus 4.6 discovered approximately 500 unknown vulnerabilities in open-source software. Mythos Preview found thousands.

CyberGym scores

In CyberGym’s directed vulnerability reproduction tests, Mythos Preview scored 83.1% versus Opus 4.6’s 66.6%. In Cybench’s 35 CTF challenges, Mythos achieved 100% pass@1 — solving every challenge on the first attempt across 10 runs.

Cybench results

But the most telling comparison involves Firefox 147.

Anthropic previously used Opus 4.6 to find security weaknesses in Firefox 147’s JavaScript engine. Opus 4.6 could discover vulnerabilities but almost never convert them into working exploits — hundreds of attempts yielded only 2 successes.

Mythos Preview on the same test: 250 attempts, 181 working exploits, plus 29 additional instances of register control. From 2 to 181. The red team blog’s exact words: “Last month, we wrote that Opus 4.6 was far better at finding issues than exploiting them. Internal assessments showed Opus 4.6’s success rate at autonomous exploit development was essentially zero. Mythos Preview is an entirely different level.”

Case 1: OpenBSD — 27-Year TCP SACK Vulnerability

OpenBSD is widely considered one of the most hardened operating systems in existence. It runs on firewalls and critical infrastructure worldwide. Its codebase has been subjected to continuous security auditing for decades.

Mythos Preview found a vulnerability in OpenBSD’s TCP SACK implementation that had been present since 1998.

The bug is extraordinarily subtle, involving the interaction of two independent flaws:

Flaw 1: The SACK protocol allows receivers to selectively acknowledge received data packet ranges. OpenBSD’s implementation checked only the upper bound of SACK ranges, not the lower bound. This alone is typically harmless.

Flaw 2: Under specific conditions, a null pointer write can be triggered. But under normal circumstances, this code path is unreachable because it requires two mutually exclusive conditions to be satisfied simultaneously.

The breakthrough: TCP sequence numbers are 32-bit signed integers. Mythos Preview discovered that by setting the SACK starting point approximately 2^31 away from the normal window using Flaw 1, two comparison operations simultaneously overflow the sign bit. The kernel is tricked — the “impossible” conditions are both satisfied, and the null pointer write fires.

Impact: Anyone who can connect to the target machine can remotely crash it.

27 years. Countless manual audits and automated scans. Nobody found it. The entire scanning project cost less than $20,000 — roughly one week’s salary for a senior penetration testing engineer.

Case 2: FFmpeg — 16-Year H.264 Decoder Vulnerability

FFmpeg is the most widely used video codec library in the world. It is also one of the most thoroughly fuzzed open-source projects in existence.

Mythos Preview found a vulnerability in the H.264 decoder introduced in 2010, with roots traceable to 2003.

The issue is a seemingly innocent type mismatch. The table recording slice assignments uses 16-bit integers. The slice counter itself is a 32-bit int.

Normal video frames contain only a few slices, so the 16-bit upper limit of 65,536 is never reached. The table is initialized using memset(..., -1, ...), making 65,535 the sentinel value for “empty slot.”

The attack: Construct a video frame containing 65,536 slices. Slice number 65,535 collides with the sentinel value. The decoder misidentifies it as an empty slot, triggering an out-of-bounds write.

The seed of this bug was planted when the H.264 codec was introduced in 2003. A 2010 refactoring transformed it from a latent issue into an exploitable vulnerability. In the 16 years since, automated fuzzers executed 5 million runs on this line of code without triggering it. The trigger condition — a frame with exactly 65,536 slices — is astronomically unlikely to occur through random fuzzing but trivial to construct deliberately.

Case 3: FreeBSD NFS — 17-Year Remote Root (CVE-2026-4747)

This is the case that made security researchers’ blood run cold.

Mythos Preview fully autonomously discovered and exploited a remote code execution vulnerability in FreeBSD’s NFS server that had existed for 17 years (CVE-2026-4747).

“Fully autonomous” means that after the initial prompt, no human was involved in any stage of discovery or exploit development.

Impact: An attacker from anywhere on the internet can gain complete root privileges on the target server without any authentication.

The vulnerability: A stack buffer overflow in the NFS server’s authentication request handler. Attacker-controlled data is copied directly into a 128-byte stack buffer, but the length check allows up to 400 bytes.

Why existing protections failed: FreeBSD’s kernel is compiled with -fstack-protector, but this option only protects functions containing char arrays. This buffer was declared as int32_t[32] — the compiler does not insert a stack canary. FreeBSD also does not implement kernel address space layout randomization.

The exploit: The complete ROP chain exceeds 1,000 bytes, but the stack overflow provides only 200 bytes of space. Mythos Preview’s solution: split the attack across 6 consecutive RPC requests. The first 5 write data blocks into kernel memory. The 6th triggers the final payload, appending the attacker’s SSH public key to /root/.ssh/authorized_keys.

For comparison, an independent security research firm previously demonstrated that Opus 4.6 could also exploit this same vulnerability — but only with human guidance. Mythos Preview needed none.

Beyond These Three

In addition to these three patched cases, Anthropic’s red team blog disclosed SHA-3 hash commitments for a large number of unpatched vulnerabilities spanning every major operating system, every major browser, and multiple cryptographic libraries. Over 99% remain unpatched and cannot be publicly disclosed.

The red team blog also described another test: Mythos Preview was given a list of 100 known CVEs, asked to identify the 40 most exploitable, and then write privilege escalation exploits for each. Success rate exceeded 50%. Two cases were detailed publicly; the exploits were so sophisticated that Anthropic’s own security team spent days fully understanding them.

One exploit started from a 1-bit adjacent physical page write primitive. Through precise kernel memory layout manipulation — including slab spraying, page table page alignment, and PTE permission bit flipping — it ultimately rewrote the first page of /usr/bin/passwd with a 168-byte ELF stub calling setuid(0) for root access. Total cost: under $1,000.

Anthropic’s engineers described the experience: “This feels like another GPT-3 moment.”

The Uncomfortable Truth

The red team blog ends with a judgment worth repeating: these capabilities emerged as a downstream result of general improvements in code understanding, reasoning, and autonomy. The same improvements that make AI dramatically better at fixing problems also make it dramatically better at exploiting them.

No specialized training. Pure general intelligence improvement as a side effect.

The global cybersecurity industry loses approximately $500 billion annually to cybercrime. That industry just discovered its biggest emerging threat arrived as a byproduct of someone solving math problems.