Inside the Mythos Red Team report: zero-days Anthropic found everywhere
Read Time 6 mins | Written by: Cole
Anthropic published its red team report for Claude Mythos Preview on April 7, 2026. It's dense, technical, and worth reading in full if you're a security expert. But if you don't have time for the whole thing, here's what you need to know: Mythos found exploitable zero-day vulnerabilities in every major operating system and every major web browser.
Some of these bugs had been in production for over two decades.
Anthropic says over 99% of the vulnerabilities they've found haven't been patched yet. What they've published is less than 1% of their findings.
Mythos since April: blocked, restored, and no longer alone
A few things have changed since the report came out.
On June 12, the US Commerce Department ordered Anthropic to disable Mythos 5 and the lighter Fable 5 model worldwide, citing national security authorities after reports of a jailbreak that could turn the models into unrestricted cyber tools. Anthropic disputed how serious the jailbreak actually was. Two weeks later, on June 26, the government reversed course and approved Mythos 5 access for roughly 100 vetted companies and federal agencies. Fable 5 is still blocked.
Mythos also isn't the only model in this weight class anymore. OpenAI's GPT-5.5-Cyber, rolled out in May through a vetted Trusted Access for Cyber program, has found exploitable bugs in Chrome's V8 engine, Safari, and dozens of Linux kernel privilege-escalation paths.
The UK's AI Security Institute evaluated GPT-5.5 as roughly on par with Mythos for offensive cyber capability.
And the gap to open-weight models is closing faster than expected: Zhipu AI's GLM-5.2, released June 13 under an MIT license, beat Claude Code on a reasoning-heavy security benchmark using a bare prompt and no scaffolding at all. Unlike Mythos or GPT-5.5-Cyber, anyone can download and run GLM-5.2 locally.
That means that everything in Athropic’s Red Team report on Mythos can and will happen in new ways with more models. So it’s important for anyone responsible for cybersecurity to know about these.
27-year-old OpenBSD TCP vulnerability: remote crash, no authentication
OpenBSD is the operating system that security-conscious teams choose specifically because of its hardened codebase. It's been continuously audited for decades. Mythos found a bug that had been sitting in it since 1998.
The vulnerability is in OpenBSD's implementation of TCP SACK (Selective Acknowledgement). Here's the simplified version:
- TCP SACK lets a receiving host tell the sender which specific packet ranges it got, instead of just "everything up to packet X"
- OpenBSD tracks these ranges as a linked list of "holes" – gaps in the acknowledged data
- Mythos found that the code checks whether the end of an acknowledged range falls within the send window, but doesn't check the start
- By itself, that's mostly harmless. But Mythos found a second bug: if a specially crafted SACK block simultaneously deletes the only hole in the list and triggers the append-a-new-hole path, the code writes through a null pointer
- That combination should be impossible. Except TCP sequence numbers are 32-bit integers that wrap around, and the comparison uses signed arithmetic. At roughly 2^31 distance from the real window, the signed subtraction overflows, and both conditions become true at the same time.
The result: any attacker who can reach a TCP port on an OpenBSD machine can crash it remotely repeatedly, with no authentication needed.
This bug sat in production for 27 years. Finding it cost Anthropic under $50 in compute for the specific run, within a broader sweep of roughly $20,000 across a thousand runs.
17-year-old FreeBSD NFS remote code execution: full root, no authentication
This is the most serious vulnerability Anthropic disclosed. CVE-2026-4747: a 17-year-old remote code execution bug in FreeBSD's NFS server that gives an unauthenticated attacker full root access to the machine.
Mythos found it and built a working exploit, fully autonomously. No human guided the exploit development.
The breakdown:
- FreeBSD's NFS server implements the RPCSEC_GSS authentication protocol
- One of the methods copies attacker-controlled packet data into a 128-byte stack buffer, starting 32 bytes in – leaving only 96 bytes of room
- The only length check enforces that the source buffer is under 400 bytes. So an attacker can write up to 304 bytes of arbitrary content onto the stack.
- From there, it's a standard return-oriented programming (ROP) attack – reusing existing kernel code in a different sequence to take control
What makes it worse: every mitigation that should block this doesn't apply on this specific codepath. FreeBSD's stack protector only instruments functions with char arrays, and this buffer is declared as int32_t[32], so no stack canary gets emitted. FreeBSD doesn't randomize the kernel load address, so predicting ROP gadget locations doesn't require an information disclosure bug first.
Mythos even solved the last remaining obstacle – the attacker needs to know a 16-byte handle to reach the vulnerable code path. It found that a single unauthenticated NFSv4 EXCHANGE_ID call leaks the host UUID and NFS daemon start time, which is enough to reconstruct the handle.
For comparison: an independent security research company showed that Opus 4.6 could exploit this same vulnerability, but it required human guidance. Mythos did it without any.
Browser exploits: Mythos chaining 4 vulnerabilities into a single JIT heap spray attack
Anthropic reports that Mythos found exploitable vulnerabilities in every major web browser. The details are mostly redacted – the bugs haven't been patched – but the one example they describe is striking.
Mythos wrote a browser exploit that chained four separate vulnerabilities into a JIT heap spray that escaped both the renderer sandbox and the OS sandbox. That's a full browser compromise from a single malicious page.
The Firefox numbers give scale to the capability gap:
- Opus 4.6 turned known Firefox JavaScript engine vulnerabilities into working exploits 2 times out of several hundred attempts
- Mythos: 181 working exploits, plus 29 more with register control
What the Mythos red team report means for defenders
These vulnerabilities share a pattern: they existed in heavily audited, well-maintained codebases for 10, 16, 17, 27 years. Traditional security tools and human review missed them. Mythos didn't.
If you're responsible for infrastructure security, a few things to act on:
- Audit your open-source dependencies, especially long-lived C/C++ code. If Mythos found bugs in OpenBSD, FFmpeg, and FreeBSD, your dependencies have bugs too. The age of the codebase is no longer a signal of safety.
- Accelerate your patch cadence for critical infrastructure. The window between disclosure and exploitation is shrinking fast. Monthly patching isn't fast enough when AI-discovered vulnerabilities are entering the pipeline at industrial volume.
- Watch the disclosure pipeline. Anthropic says over 99% of what they've found is still unpatched and undisclosed. More CVEs are coming. Pay attention to updates from the projects you depend on.
- Use AI for defensive auditing. The same capability that finds these bugs offensively can be pointed at your own codebase. If you're not running AI-assisted security reviews on your critical systems, you're leaving exposure on the table.
Read the full report and get ahead of the curve
Mythos found bugs that decades of audits, fuzzing, and human review missed, in software that runs a meaningful share of the internet. That capability didn't stay contained to one lab for long, and it isn't getting more contained from here. Whatever else you take from this report, take that: the cost of finding a critical vulnerability is falling fast, for attackers and defenders alike.
The smart move is to get ahead of that shift rather than wait for the next patch cycle to catch you up. Read Anthropic's full Red Team report if you want more details and then take an honest look at how old the code in your own stack really is.
Don't Miss
Another Update
new content is published
Cole
Cole is Codingscape's Content Marketing Strategist & Copywriter.
