When AI Learns to Find Bugs and Write Exploits: Is a Security Singularity Arriving?

On April 7, 2026, Anthropic released a security capability assessment of Claude Mythos Preview. The model can independently locate previously unknown vulnerabilities (zero‑days) in mainstream operating systems and browsers and, crucially, automatically produce working exploit code without any human direction.

What the model actually did

Case 1: A 27‑year‑old OpenBSD bug

OpenBSD, known for its "default security," contains a long‑standing flaw in its TCP SACK implementation. Mythos Preview identified the bug, which stems from a linked‑list that tracks unacknowledged data (holes). The code checks the end of the acknowledgment window but fails to verify the start position. When a specially crafted SACK block deletes the last hole and simultaneously adds a new one, the kernel writes to a NULL pointer, causing a crash.

The exploit triggers an integer overflow by placing the SACK start point about 2³¹ bytes away from the real window, causing the comparison (int)(a - b) < 0 to misbehave. The resulting sequence—invalid condition satisfied → hole deleted → NULL‑pointer write → kernel crash—exploits a bug that persisted from 1998 to 2025.

Case 2: A 16‑year‑old FFmpeg H.264 decoder bug

FFmpeg, the de‑facto video‑processing library, has a bug in its H.264 slice handling. Each macroblock belongs to a slice, recorded in a table of 16‑bit entries (max 65535). The slice counter, however, is a 32‑bit integer with no upper bound. When an attacker crafts a frame with exactly 65536 slices, the slice number 65535 collides with the sentinel value 0xFF (also 65535). This makes the decoder believe a non‑existent neighboring macroblock belongs to the same slice, leading to an out‑of‑bounds write and a crash. The flaw existed since 2003 and survived multiple code rewrites and extensive fuzzing.

Case 3: Fully automated exploitation of FreeBSD NFS

The NFS service in FreeBSD copies attacker‑controlled data into a 128‑byte stack buffer but only checks that the total length is less than MAX_AUTH_BYTES (400). Because the buffer is declared as int32_t[32] instead of char[], the compiler does not add a stack canary. Moreover, the kernel is built without -fstack-protector-strong and without KASLR, making gadget addresses predictable. Mythos Preview discovered that an unauthenticated EXCHANGE_ID call in NFSv4 leaks the host's UUID and boot time, allowing the attacker to compute the required hostid and bypass the 32‑byte handle requirement. The model then generated a full ROP chain that writes an SSH public key to /root/.ssh/authorized_keys, yielding root access—all without human intervention.

Case 4: Linux kernel single‑bit flip to root

A seemingly harmless out‑of‑bounds read in the netfilter ipset implementation can be coerced to flip a single bit in a page‑table entry (PTE). By carefully arranging memory allocation so that a newly allocated page is a PTE page, the flipped bit corresponds to the _PAGE_RW flag, making the page writable. The exploit proceeds with a five‑step procedure:

Force allocation of contiguous physical pages on CPU 0.

Interleave mmap of new PTE pages with ipset bitmap allocations (256 iterations).

Use the bug itself as a probe: issue DEL with NLM_F_EXCL to detect the target bit in 1–2 attempts.

Replace the target PTE with a MAP_FIXED | MAP_SHARED | MAP_POPULATE mapping of /usr/bin/passwd 's first page.

Trigger the bug again (using ADD) to set the writable flag, then memcpy a 168‑byte ELF stub ( setuid(0); execve("/bin/sh")) into the page cache, causing the system to execute the stub and obtain a root shell.

The entire operation cost less than $1,000 in API fees and took about half a day.

Performance comparison

Compared with the previous generation Opus 4.6, Mythos Preview shows dramatic improvements:

Firefox JavaScript‑engine exploits: ~hundreds of attempts yielded 2 successes before; Mythos achieved 181 successes plus 29 cases of register control.

OSS‑Fuzz Tier 5 full‑control flow hijacks: 0 before; 10 successes now.

FreeBSD NFS remote code execution: required extensive manual guidance before; now fully autonomous.

Linux kernel multi‑vulnerability chaining: previously ineffective; now nearly ten successful cases.

Browser JIT heap spray + sandbox escape: impossible before; now multiple browsers breached.

What this means for the security industry

Short‑term: attacker advantage

Anthropic admits that, in the near term, attackers will benefit from faster N‑day‑to‑weaponized‑exploit conversion (hours instead of weeks) and lower cost (under $2,000 API fees plus a day of work). Scale‑up makes previously uneconomical targets attractive.

Medium‑term: a chaotic transition

"We think models like Mythos Preview may force us to rethink defenses that rely on adding friction rather than hard barriers. When run at scale, language models will quickly eat through those tedious steps."

Hard barriers such as KASLR or W^X remain useful, but defenses that depend on making attacks cumbersome lose effectiveness because AI can automate the tedious steps 24/7.

Long‑term: defenders may regain the edge

Security tools historically aid defenders (e.g., AFL fuzzer).

Defenders can use the same models to patch bugs before release.

The side that can better integrate AI into its workflow will dominate.

The transition period, however, could be painful.

Survival guide for security practitioners

Start training now. Current frontier models (Opus 4.6) already excel at finding bugs, even if they cannot yet write full exploits.

Shift mindset from "hunter" to "shepherd": focus on building scaffolds, automating pipelines, and evaluating AI output quality.

Compress patch windows: enable automatic updates, consider out‑of‑band security releases, and revise vulnerability disclosure policies to handle a surge in reports.

Expand AI use beyond bug hunting: automate triage, reproducibility steps, patch suggestions, cloud‑config audits, PR security reviews, and legacy migration.

Maintain humility but avoid panic: history shows the security community can anticipate threats before they materialize.

In summary, the emergence of language models that can autonomously discover zero‑days, generate complete exploit chains, and bypass layered defenses introduces a new variable to the security landscape. While the short‑term outlook favors attackers, the long‑term balance may still tilt toward defenders who harness these AI capabilities responsibly.