Mythos "discovered" a CVE already present in its training data, but this remains worrying

Anthropic made headlines by claiming that Claude Mythos created the "first remote kernel exploit discovered and used by AI". We decided to investigate how it pulled this off, and found a 20-year-old bug hiding in plain sight

Let's break down what we believe Mythos did, and what this means for cybersecurity.

What did Claude find?

In Anthropic's first post about Claude Mythos, the company details a host of different vulnerabilities that Mythos was able to detect and exploit. The vulnerability we have the most information on (including its CVE and full technical description) is CVE-2026-4747: a remote code execution flaw in the FreeBSD network file system. These network file systems are used across thousands of network storage systems in corporate and scientific research centers.

While this exploit is a testament to impressive engineering achievement, anyone following AI development won't be surprised by an agent framework's ability to write code; we were personally more curious to understand how the AI even found the vulnerability in the first place. The write-up for the vulnerability notes that it is "textbook" — a classic stack overflow, made even simpler by the fact that FreeBSD is not compiled with standard protection measures (KASLR/Stack Canaries):

In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the svc_rpc_gss_validate() function reconstructs the RPC header in a 128-byte stack buffer (rpchdr[]) to verify the GSS-API signature. First, it writes 32 bytes of fixed RPC header fields, then copies the full RPCSEC_GSS credentials body (oa_length bytes) into the remaining space, without checking if oa_length fits there.

To develop this standard, IETF organized a working group that published the RPCSEC_GSS protocol (RFC 2203) in 1997. The majority of the open-source work to implement NFSv4, RPCSEC_GSS, and the corresponding required kernel-level components was funded and developed by the University of Michigan's Center for Information Technology Integration (CITI).

The University of Michigan is still mentioned in the copyright headers of the Kerberos implementation created by the Massachusetts Institute of Technology (MIT) (active developers are used to seeing such notices, but tend to overlook them), as well as in nearly identical files copied into the FreeBSD implementation.

Copyright (c) 2000 The Regents of the University of Michigan.
 All rights reserved.

 Copyright (c) 2000 Dug Song .
 All rights reserved, all wrongs reversed.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 3. Neither the name of the University nor the names of its
    contributors may be used to endorse or promote products derived
    from this software without specific prior written permission.

Wait a minute, "copied"?

FreeBSD stores the entire base operating system — kernel, drivers, and required system utilities — in one large unified repository. It also includes RPCSEC_GSS functionality that is nearly identical to the MIT Kerberos code, and is used in almost every Linux distribution to implement secure NFS operations.

So does that mean we should expect the CVE Mythos issue to also affect the MIT implementation? Could we be dealing with an even more serious problem?

Please give it a warm welcome — good old CVE-2007-3999! In the NIST NVD, this vulnerability is described as follows:

stack buffer overflow in the svcauth_gss_validate function of the lib/rpc/svc_auth_gss.c file from the RPCSEC_GSS RPC (librpcsecgss) library, included in MIT Kerberos 5 (krb5) versions 1.4 through 1.6.2 that are used by the Kerberos administrative daemon (kadmind) as well as some third-party applications leveraging krb5; it allows attackers to cause a denial of service (daemon crash) and likely execute arbitrary code via a long string in an RPC message.

This CVE was patched in 2007. But something about this description feels terribly familiar…

The culprit is CVE-2007-3999!

The last vulnerable Kerberos version was 1.16.2. Comparing the vulnerable function from 2007 (likely part of Claude's training data) with Mythos' discovery speaks for itself:

Vulnerable Kerberos, 2007

// src/lib/rpc/svc_auth_gss.c
// Added 2 new lines for body alignment

static bool_t
svcauth_gss_validate(struct svc_req *rqst, struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
{
struct opaque_auth *oa;
gss_buffer_desc rpcbuf, checksum;
OM_uint32 maj_stat, min_stat, qop_state;
u_char rpchdr[128];
int32_t *buf;

log_debug("in svcauth_gss_validate()");

memset(rpchdr, 0, sizeof(rpchdr));

/* XXX - Reconstructing the RPC header for signing (from xdr_callmsg). */
buf = (int32_t *)(void *)rpchdr;
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
oa = &msg->rm_call.cb_cred;
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
if (oa->oa_length) {
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
buf += RNDUP(oa->oa_length) / sizeof(int32_t);
}
// To be continued...
}

Vulnerable FreeBSD, 2026

// sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
static bool_t
svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
   gss_qop_t *qop, rpc_gss_proc_t gcproc)
{
struct opaque_auth *oa;
gss_buffer_desc rpcbuf, checksum;
OM_uint32 maj_stat, min_stat;
gss_qop_t qop_state;
int32_t rpchdr[128 / sizeof(int32_t)];
int32_t *buf;

rpc_gss_log_debug("in svc_rpc_gss_validate()");

memset(rpchdr, 0, sizeof(rpchdr));

/* Reconstructing the RPC header for signing (from xdr_callmsg). */
buf = rpchdr;
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
oa = &msg->rm_call.cb_cred;
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
if (oa->oa_length) {
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
buf += RNDUP(oa->oa_length) / sizeof(int32_t);
}
// To be continued...
}

The George Bush-era Kerberos patch is also almost identical to the one implemented by FreeBSD last month after the discovery made by Mythos:

*** src/lib/rpc/svc_auth_gss.c (revision 20474)
--- src/lib/rpc/svc_auth_gss.c (local)
***************
*** 355,360 ****
--- 355,369 ----
  memset(rpchdr, 0, sizeof(rpchdr));
 
  /* XXX - Reconstruction of the RPC header for signing (from xdr_callmsg). */
+ oa = &msg->rm_call.cb_cred;
+ if (oa->oa_length > MAX_AUTH_BYTES)
+ return (FALSE);
+
+ /* 8 XDR blocks from IXDR macro calls. */
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+      RNDUP(oa->oa_length)))
+ return (FALSE);
+
  buf = (int32_t *)(void *)rpchdr;
  IXDR_PUT_LONG(buf, msg->rm_xid);
  IXDR_PUT_ENUM(buf, msg->rm_direction);
***************
*** 362,368 ****
  IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
  IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
  IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
- oa = &msg->rm_call.cb_cred;
  IXDR_PUT_ENUM(buf, oa->oa_flavor);
  IXDR_PUT_LONG(buf, oa->oa_length);
  if (oa->oa_length) {
--- 371,376 ----

So can AI detect entirely new vulnerabilities that require a creative approach? Maybe. But in the case of CVE-2026-4747, the vulnerability discovery itself looks more like an example of combinatorial creativity: the AI made a finding that was already present in its training data.

Such "rediscoveries" made by AI in mathematics and other sciences are now being discussed more and more widely; it is time to discuss them in the cybersecurity field as well. What are the boundaries of truly novel AI discoveries, and do they even exist? Is this distinction really that important?

Summary

To understand the true threat posed by AI in cybersecurity, we need to separate sci-fi hype from the reality of how these models actually work.

Real threat: reused code

The FreeBSD CVE was caused by human negligence dating back to the early 2000s.

But today, in 2026, bugs that are already decades old are being added directly to our systems at a breakneck pace. When configuring our environments and writing new code, LLMs regurgitate the exact same insecure patterns they were trained on.

AI will find these flaws and exploit them

Modern models do not need to be particularly creative to bankrupt a company or take down a power grid. They just need to act as powerful pattern hounds, sniffing out and exploiting legacy bugs that weaker AI models carelessly copy-pasted into the environment.

Agentic defense is a necessary advantage

Ultimately, it does not matter whether an exploit is "unique" or simply memorized training data. What matters is the damage it can cause when used, and AI has drastically reduced the cost of deploying exploits.

Note

A Reddit user noted a significant error in the article. It references a post https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md

This is a GitHub repository owned by Calif, a cybersecurity firm (its blog: https://blog.calif.io). This is not Anthropic, and it did not have access to Mythos Preview. This is not an Anthropic article, it was a mistake.

Here is a useful timeline for context:

March 26: The FreeBSD CVE is released, authored by "Nicholas Carlini, using Claude, Anthropic" (it is worth noting that, as usual, Carlini did not specify the Claude model in his report) https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
March 29: Calif security researchers, using the CVE report and a large volume of effective prompting, got a publicly available Claude model (the specific model is also not specified) to develop an exploit.
March 31: Calif publishes its findings (https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd)
April 7: Carlini states that the FreeBSD CVE was discovered using Anthropic's new Mythos Preview model, and that it instantly (and autonomously) created an exploit (https://red.anthropic.com/2026/mythos-preview/)

Calif's findings sparked lively discussion, but because developing the exploit required a large amount of human prompting, skepticism arose about its significance. What is more interesting in this story is that Mythos Preview can autonomously complete the entire process from finding a vulnerability (which, as we learned from this article, is essentially identical to one previously patched in Kerberos) to creating an exploit (and of course, this process was completed earlier than Calif's work, though Calif published its article first).

Unfortunately, due to the similarity between these two stories, readers began confusing Calif's exploits with Anthropic's, and Calif's repository with Anthropic's article.

Comments

    Also read