Anthropic published an update on Project Glasswing this week, and the numbers are the kind that change what enterprise security teams budget for next quarter. Claude Mythos Preview, a frontier model that is not yet generally available, was given to 50 partner organizations and pointed at production codebases. The current count is more than 10,000 high or critical severity vulnerabilities identified across those partners. Anthropic’s own scan, run separately against 1,000 open-source projects, surfaced 23,019 issues, of which 6,202 were high or critical. Six independent security firms audited 1,752 of those high-or-critical findings and confirmed more than 90 percent as true positives.

The specific bugs are the part that sticks. Mythos found a flaw in wolfSSL, the cryptography library running on billions of embedded devices, and built a working exploit that forges certificates. It found a 16-year-old vulnerability in FFmpeg, which is to say a 16-year-old vulnerability in basically every video pipeline on earth. It found a remote code execution bug in FreeBSD’s NFS implementation that now lives under CVE-2026-4747. It found multiple Linux kernel privilege-escalation chains. Partner organizations include AWS, Apple, Cisco, Google, JPMorgan Chase, and Microsoft, which is a tidy summary of “the operating environment of the global economy.”

The white-hat framing is the comfortable read. The uncomfortable read is that the same capability runs in the other direction. A model that finds a forgeable-cert bug in wolfSSL for a defender finds the same bug for an attacker, and the question of who runs the scan first becomes the question that decides whether you get patched or breached. Several Glasswing partners told Anthropic that their internal bug-finding rate has gone up by more than ten times. That is the headline number in the press release. The footnote is that the threat actor who gets access to a similar model gets the same multiplier, and the asymmetry that has historically favored defenders (more eyes, more time) just got considerably less asymmetric.

anthropicclaude-mythosproject-glasswingsecurityvulnerability-researchwolfsslffmpegcve