Full Report
In April, Anthropic initated Project Glasswing. The idea was to let companies use their new model to find and fix vulnerabilities in their own software. It was a fantastic PR move, and so many press outlets have uncritically parroted Anthropic’s claims that it’s now common wisdom that Mythos is better at finding software vulnerabilities than other models. Which is just not true. In any case, Anthropic has published a Project Glasswing status report. It’s finding a lot of vulnerabilities in software—yay! Some of them are even dangerous. But almost none of them has been patched. It’s ...
Analysis Summary
# Vulnerability: Large-Scale AI-Detected Flaws via Project Glasswing
## CVE Details
- **CVE ID:** None assigned. (The report refers to a bulk finding of ~23,000 potential vulnerabilities rather than a specific tracked CVE).
- **CVSS Score:** N/A (Individual scores vary; report indicates some are "dangerous").
- **CWE:** Various (Covers wide-ranging weaknesses in Open Source Software).
## Affected Systems
- **Products:** Various Open Source Software (OSS) projects.
- **Versions:** Multiple (Across approximately 1,000 different OSS projects).
- **Configurations:** General source code repositories analyzed by the Mythos model.
## Vulnerability Description
Anthropic’s "Project Glasswing" utilized its AI model, **Mythos**, to scan for security flaws in software. According to the status report, the model detected approximately 23,000 potential vulnerabilities. However, technical specifics regarding the nature of these flaws (e.g., buffer overflows, injection points, logic errors) have not been released to the public. Security researchers have expressed skepticism regarding the ratio of true positives to false positives in this dataset, as Anthropic has not provided granular technical data for independent verification.
## Exploitation
- **Status:** PoC status unknown. While Anthropic claims to have found dangerous vulnerabilities, there is no evidence of active exploitation in the wild for the bulk of findings.
- **Complexity:** Unknown.
- **Attack Vector:** Various (Depends on the specific project and flaw).
## Impact
- **Confidentiality:** Variable (Likely High for specific "dangerous" flaws).
- **Integrity:** Variable.
- **Availability:** Variable.
## Remediation
### Patches
- **None widespread:** The report highlights a significant "patch gap," noting that almost none of the vulnerabilities identified by Project Glasswing have been remediated by the respective software maintainers yet.
### Workarounds
- No specific workarounds provided due to the lack of disclosed technical details.
## Detection
- **Indicators of Compromise:** None identified.
- **Detection Methods and Tools:** Anthropic's proprietary **Mythos** model was the primary detection tool. Third-party verification is currently hindered by the lack of disclosed data.
## References
- Anthropic Project Glasswing Announcement: hxxps[://]www[.]anthropic[.]com/glasswing
- Schneier on Security: hxxps[://]www[.]schneier[.]com/blog/archives/2026/06/anthropics-project-glasswing-update[.]html
- Security Week Report: hxxps[://]www[.]securityweek[.]com/anthropic-mythos-detected-23000-potential-vulnerabilities-across-1000-oss-projects/