Claude Mythos Discovers Thousands of Zero-Days: 27-Year OpenBSD TCP Bug, 16-Year FFmpeg Flaw, FreeBSD Remote Root, Browser Sandbox Escapes
Anthropic's red team reports Mythos Preview identified thousands of previously unknown vulnerabilities with 'over 99%' still unpatched. Key discoveries: a 27-year-old OpenBSD TCP/SACK signed integer overflow enabling remote crash, a 16-year-old FFmpeg H.264 out-of-bounds write that survived decades of fuzzing, a 17-year-old FreeBSD NFS stack buffer overflow (CVE-2026-4747) enabling unauthenticated remote root via a 1000+ byte ROP chain, and autonomous browser sandbox escapes across every major browser. The model produced 181 working Firefox JS engine exploits vs Opus 4.6's 2. Professional validators confirmed severity classifications with 89% exact accuracy and 98% within one level. Discovery costs were remarkably low: the OpenBSD bug cost under $20,000 across 1,000 runs; FFmpeg approximately $10,000.
↳ Follow the thread