Long‑lived FFmpeg bug found
Anthropic’s Project Glasswing used Claude Mythos to hunt for vulnerabilities and discovered a 16‑year‑old bug in FFmpeg and a separate 27‑year‑old OpenBSD flaw, both missed by millions of automated tests. The team’s findings prompted vendor crediting and highlight how AI tools are being used to surface deep, longstanding issues in critical media libraries that power transcoding and delivery. For video platforms that depend on FFmpeg at scale, the episode is a reminder that securing the media stack is both urgent and nontrivial. (x.com) (x.com)
Video apps lean on one old workhorse to open, convert, and package media files, and that workhorse is FFmpeg, a free software project embedded in streaming services, editing tools, browsers, and device apps. Anthropic says its new Claude Mythos 2 Preview model found a FFmpeg vulnerability that had sat in the code for 16 years. (anthropic.com) FFmpeg does a job called transcoding, which means taking one video format and turning it into another so a phone, television, or web player can actually play it. Big video platforms run that conversion step constantly because the same upload may need many versions for different screens and internet speeds. (ffmpeg.org) Security teams usually hunt bugs in code like this with fuzzing, which is the software equivalent of slamming random keys into every lock on a building to see which door pops open. Anthropic said automated testing tools had exercised the exact FFmpeg line five million times without recognizing the flaw. (anthropic.com) That detail is the surprise in this story: the bug was not hidden in untouched code, but in code that had been hammered for years. CyberScoop reported that Anthropic contacted maintainers and that the vulnerabilities it disclosed were patched. (cyberscoop.com) Anthropic bundled this work into Project Glasswing, a security effort it announced on April 8, 2026, with up to $100 million in usage credits and $4 million in donations for open-source security work. The company says the project is built around Claude Mythos 2 Preview, an unreleased model it believes can find and exploit software flaws at a level beyond most human researchers. (anthropic.com) The FFmpeg find was not the only old problem it surfaced. Anthropic also said Mythos found a 27-year-old vulnerability in OpenBSD, an operating system known for a security-first culture and often used in firewalls and other infrastructure. (anthropic.com) That pairing matters because FFmpeg and OpenBSD sit in very different parts of the software world. One is a media library that helps move video around the internet, and the other is a hardened operating system, so finding decade-old flaws in both suggests the model is searching for deeper logic mistakes, not just copying known bug patterns. (anthropic.com) (cyberscoop.com) Anthropic is not releasing Mythos openly, and outside reporting says the company is treating it as a gated system because the same capability that helps defenders could also help attackers build working exploits faster. PCWorld described the model as powerful enough that Anthropic is wary of broad public release. (pcworld.com) (anthropic.com) For video companies, the lesson is mundane and expensive at the same time. A media pipeline can run millions of clean test cases and still miss one old edge case in a parser, decoder, or container handler, which means the boring plumbing under upload, playback, and delivery now needs another layer of review. (anthropic.com) (ffmpeg.org) The story is not that artificial intelligence suddenly made software unsafe on April 8, 2026. The story is that a model built for code review just showed that some of the internet’s oldest and most trusted components still contain bugs that ordinary testing had walked past for years. (anthropic.com)
