Anthropic's Mythos AI Finds 17-Year-Old FreeBSD Exploit, Triggers U.S. Policy Reversal

Overview

Anthropic's frontier AI model Mythos autonomously discovered a 17-year-old remote code execution (RCE) vulnerability in FreeBSD that survived decades of expert security review. The model also identified approximately 300 bugs in Firefox — roughly 15 times more than previous Claude models found in comparable tasks.

What Mythos Can Do

Mythos navigates code repositories autonomously, identifies unknown vulnerabilities, and writes proof-of-concept exploit code. The FreeBSD flaw originated in pre-2007 code. Anthropic CEO Dario Amodei told CNBC: "We are at a dangerous cyber moment. Mythos operates at near nation-state hacking capability."

Controlled Deployment via Project Glasswing

Rather than a public release, Anthropic provides Mythos exclusively to 40+ organizations in Project Glasswing, including Apple, Amazon, JPMorgan Chase, and Palo Alto Networks. Partners use it for defensive vulnerability discovery, with findings shared with relevant software maintainers.

Policy Impact

The Mythos revelations prompted the Trump administration — previously hostile to AI regulation — to study mandatory pre-release evaluations for frontier AI models. Google, Microsoft, and xAI have already signed evaluation agreements with the government's Center for AI Standards and Innovation (CAISI), which has completed 40+ model assessments. National Economic Council Director Kevin Hassett said: "We are not envisioning a large new bureaucracy, but government review of frontier AI is necessary."

Source: CNBC - Anthropic Mythos AI (May 8, 2026)