Anthropic Withholds New AI Model After Discovering Thousands of Critical Vulnerabilities Across OS and Browsers
What Happened — Anthropic announced that its unreleased Claude Mythos Preview model has already identified thousands of high‑severity vulnerabilities, including a 27‑year‑old flaw in OpenBSD and multiple kernel‑level exploits in Linux. Because of the risk of rapid weaponisation, Anthropic limited access to a vetted consortium of 40+ tech firms (Project Glasswing) and will not make the model publicly available.
Why It Matters for TPRM —
- The model demonstrates that AI can autonomously discover zero‑day exploits, raising the threat surface for any third‑party that integrates or relies on generative AI.
- Vendors without robust AI‑risk controls could inadvertently expose their customers to weaponised exploits.
- Supply‑chain partners must reassess AI‑related contracts and ensure contractual safeguards against misuse.
Who Is Affected — Technology vendors (cloud, SaaS, API providers), enterprises deploying AI‑enhanced products, critical‑infrastructure operators, and any organization that outsources development to AI‑driven services.
Recommended Actions —
- Review contracts with AI vendors for clauses on responsible model release and misuse mitigation.
- Validate that third‑party AI tools undergo independent security testing and have a clear governance framework.
- Incorporate AI‑risk assessments into existing vendor risk programs and monitor for emerging AI‑driven exploit capabilities.
Technical Notes — The Mythos Preview model acted as an advanced fuzzer, chaining multiple vulnerabilities (e.g., bypassing Kernel ASLR, reading/writing kernel memory) to produce functional exploits. Notable findings include a remote‑crash bug in OpenBSD and privilege‑escalation chains in the Linux kernel. Source: DataBreachToday