Mythos reportedly discovered 100+ zero‑day hardware bugs, researchers say

Software security is the thing here — specifically the part where bugs sit quietly in old code until someone turns them into a break-in. That has always been a race between defenders and attackers. But the race just got stranger. Anthropic says its unreleased Claude Mythos Preview can find and exploit zero-day vulnerabilities at a level that crosses a threshold, and it launched Project Glasswing on April 7, 2026 to put that capability in defenders’ hands first. (red.anthropic.com) ### What actually changed? The big change is not just that an AI model found bugs. Security teams already use automation, fuzzers, and static analysis for that. The change is that Anthropic is claiming a general-purpose model can reason through real codebases, identify subtle flaws, and in some cases build working exploits across major operating systems and browsers. Ant(red.anthropic.com)lities, with more than 99% still unpatched and therefore not publicly described. (red.anthropic.com) ### Why are people taking that seriously? Because the examples are not toy problems. Anthropic says the model found bugs that survived years or decades of human review, including a now-patched 27-year-old flaw in OpenBSD. It also says the model could reverse-engineer exploits for closed-source software and turn known-but-not-yet-patched bugs into usable attacks faster th(red.anthropic.com)lease the model broadly and instead gated it through a security program. (red.anthropic.com) ### So where did the “100+ hardware bugs” claim come from? That part is fuzzier. The strongest primary-source claim is bigger than that: Anthropic says it can identify vulnerabilities across both hardware and software “at a pace and scale previously impossible,” and says launch partners are applying the model to critical codebases and infrastructure. But the public mater(red.anthropic.com)r bugs for about $600” number. The public record supports a broader claim — thousands of zero-days across major systems — more than the narrower viral number. (anthropic.com) ### Why does the seven-day number matter? Turns out it is worse than seven days. Google’s M-Trends 2026 says mean time to exploit newly disclosed vulnerabilities has dropped to negative seven days. Basically, attackers are often exploiting flaws before a patch is even available. In the same report, exploits remained the top initial infection vector in 2025, accounting for 32% o(anthropic.com)kers already move before patch day, the old patch window starts to disappear. (cloud.google.com) ### Why are old bugs such a big deal? Old bugs tell you this is not just brute force. A decades-old flaw in a hardened project like OpenBSD means the model is surfacing edge cases that survived audits, testing, and institutional memory. Think of it less like a faster scanner and more like adding thousands of competent junior researchers who never (cloud.google.com) it does change throughput. (red.anthropic.com) ### What is Project Glasswing for? Project Glasswing is Anthropic’s attempt to keep the first big gains on the defensive side. Launch partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic says it is committing up to $100 million in usage credits and $4 million to open-s(red.anthropic.com)ting access. (anthropic.com) ### What does this mean for defenders now? The practical answer is ugly but clear. Patch cycles have to get shorter. Vendor coordination has to happen earlier. Triage has to assume that a subtle bug in an obscure component may not stay obscure for long. And security teams probably need AI on their side just to keep up with AI-assisted offense. The old model — find, file, wait, (anthropic.com)are collapsing into the same week. (cloud.google.com) ### Bottom line? The real story is not one flashy bug count. It is that frontier models now seem capable of moving vulnerability research from artisanal to industrial scale. If that claim holds up outside vendor-controlled testing, software defense is about to become much more about speed than perfection. (red.anthropic.com)