Public Models Reproduce Key Anthropic Mythos Vulns
GPT-5.4 and Claude Opus 4.6 reproduced Anthropic's Mythos vulnerabilities in FreeBSD (CVE-2026-4747, 3/3 exact), Botan (CVE-2026-34580/82, 3/3 exact), and OpenBSD (27-year bug, Claude 3/3 exact) using open-source opencode agent, proving AI vuln discovery is accessible; real moat is validation and workflows.
Public Models Achieve Exact Reproductions on High-Impact Cases
Use open-source agent opencode with GPT-5.4 or Claude Opus 4.6 in a chunked security-review workflow—planning step splits files into chunks, detection step scans assigned ranges while inspecting repo files—to rediscover Anthropic's Mythos bugs without proprietary stacks. Both models exactly reproduced FreeBSD CVE-2026-4747 (3/3 runs each): in svc_rpc_gss_validate(), fixed 128-byte stack buffer overflows by up to 304 bytes from unchecked oa_length up to MAX_AUTH_BYTES (400) in network-reachable RPC path. Both also exactly hit Botan CVE-2026-34580/82 (3/3): certificate_known() trusts via subject_dn + subject_key_id match, bypassing exact identity checks for OCSP and path-building. Claude Opus 4.6 alone exactly reproduced OpenBSD's 27-year TCP SACK state logic bug (3/3), reasoning sequence comparisons, linked-lists, and range edges where GPT-5.4 failed (0/3). Total cost per file scan stayed under $30, showing capability spreads via public APIs.
This counters Anthropic's Glasswing gating claim: agentic processes (codebase access, runtime isolation, file ranking, parallel retries, second-pass filtering) succeed outside their lab, democratizing discovery of remote roots, parsers, and trust flaws.
Partial Hits Expose Gaps in Parser and Crypto Logic
Models narrow search spaces but falter on full reasoning chains for complex state. On FFmpeg h264_slice.c, both yielded partials (3 attempts): surfaced parser risks like state/counters/sentinels but missed exact H.264 boundary violation after heavy fuzzing pressure. For wolfSSL CVE-2026-5194, partials spotted missing hash_len checks in wc_SignatureVerifyHash() and adjacent SigOidMatchesKeyOid() gaps, but misframed impact as length/DoS instead of key-hash semantic mismatch enabling invalid algos. These reveal limits: public models spot missing checks in crypto paths but undervalue invariants, turning leads into non-reproductions without human steering.
Reproductions prioritized category breadth (network, parsers, protocols, auth, systems) over volume, using model-generated chunk plans (e.g., FreeBSD lines 1158-1215) for non-manual curation.
Defenders Must Prioritize Operationalization Over Model Access
Mythos signals frontier models excel at agentic cyber tasks (CyberGym, SWE-bench, Terminal-Bench deltas), but public equivalents shift moat from raw capability to validation/prioritization/remediation. AppSec teams face undiscovered issues in trust boundaries, auth flows, parsers, legacy paths; integrate AI via SSDLC tools for filtering low-value findings, CI hooks, and air-gapped runs. Revisit 'too hard' bugs—public agents shorten discovery-to-exploit gaps, cheapening validation for defenders and attackers alike. Build workflows now: parallel attempts, hypothesis testing, human-model loops beat waiting for invites.