cURL Founder Tests Anthropic Mythos on 176K Lines of C Code, Finds Only One Low‑Severity Vulnerability

On May 11, 2026, Daniel Stenberg, the founder of curl, published a comprehensive blog post describing his hands‑on evaluation of Anthropic’s AI security model Mythos. Anthropic had publicly claimed that Mythos was “dangerously good” at finding source‑code vulnerabilities and limited its release to a small group of partners.

Stenberg obtained testing access through the Linux Foundation’s Alpha Omega project. After a delay in permission granting, the scan was performed by an authorized colleague on curl’s production codebase, which consists of 176,000 lines of C code (excluding blank lines), roughly 660,000 words. The code has been rewritten on average 4.14 times per line, contributed by 573 current authors and 1,465 contributors historically, and has already generated 188 CVE notices.

The Mythos scan covered the src/ and lib/ directories, encompassing all major protocols, TLS verification paths, authentication mechanisms, content encoding, and connection reuse. Mythos reported five “confirmed” security issues with high confidence.

curl’s security team manually investigated each finding. Three were false positives—behaviors already documented as normal in the API—one was a benign functional bug, and only one was confirmed as a low‑severity CVE. That CVE will be shipped with curl 8.21.0 in late June and is considered too minor to cause concern.

In addition to the five flagged items, Mythos listed about 20 ordinary bugs. The total number of findings was lower than what curl’s own tooling (AISLE, Zeropath, OpenAI Codex Security) had uncovered in the previous 8‑10 months, during which those tools helped fix 200‑300 bugs and a dozen security‑related CVEs.

Stenberg noted that, while AI‑driven code analysis tools like Mythos can spot mismatches between code and comments, detect API misuse, and understand protocol specifications better than traditional static analyzers, they still cannot discover entirely new vulnerability classes. Their outputs often require human verification, and the generated patches are rarely perfect.

He concluded that Mythos’s capabilities are overstated; the model is not a “dangerous‑level weapon.” Nevertheless, AI‑assisted analysis does outperform conventional static analysis and can surface many latent issues for projects that have not yet adopted such tools. Ultimately, robust security depends on disciplined engineering practices—memory‑safe designs, explicit bounds checking, overflow protection, and thorough manual review—rather than any single AI tool.