Anthropic's Project Glasswing CVE tally is still anyone's guess

The mystery numbers

Anthropic stunned the security world last week by saying its new Mythos model is so good at finding vulnerabilities that releasing it would be dangerous. To avoid "breaking the internet," the company allegedly restricted access to a roughly 50‑member preview program called Project Glasswing, inviting select vendors to run the model against their own products. It has been reported that participants include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, Intel — and Anthropic itself.

So how many CVEs did Mythos actually surface? VulnCheck researcher Patrick Garrity dug through the public CVE repository and found 75 records that mentioned "Anthropic" since February. Thirty‑five of those concern Anthropic's own tools or third‑party integrations and are not tied to Project Glasswing. The remaining 40 are credited to Anthropic or affiliated researchers and might be Glasswing discoveries — or they might not. Ambiguity, in short. Garrity further broke those 40 down by attribution (core Anthropic, Nicholas Carlini, and a Calif.io "MADBugs" program credited as "Calif.io in collaboration with Claude and Anthropic Research") and by target: 28 affect Mozilla Firefox, nine hit wolfSSL, and the rest touch F5/NGINX Plus, FreeBSD, and OpenSSL.

One clear lead — and a lot of speculation

Only one CVE so far can be cleanly tied to the Glasswing narrative: CVE‑2026‑4747, a remote‑code‑execution bug in FreeBSD credited to "Nicholas Carlini using Claude, Anthropic." Anthropic's blog, it has been reported, specifically name‑checked that CVE and claimed Mythos Preview "fully autonomously identified and then exploited a 17‑year‑old remote code execution vulnerability in FreeBSD" that could yield root via NFS. The company has also said Mythos found a patched 27‑year‑old OpenBSD bug, a 16‑year‑old FFmpeg flaw, and Linux kernel privilege escalation chains — claims that remain only partially traceable in public CVE records.

Why the fuss? Because if an LLM truly automates discovery and exploit development at scale, the infosec rules change. Or do they? For now the concrete, public evidence is thin — a single FreeBSD CVE tied to an Anthropic researcher — while a cluster of other Anthropic‑credited CVEs sit in a gray area. Companies want to fix bugs, researchers want credit, and the public wants assurance that "powerful" tools aren't being quietly weaponized. Project Glasswing promised transparency; what it has delivered so far is a puzzle box with just enough pieces to tease a picture, but not enough to be sure what it is.

Sources: The Register