◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-04-15

Project Glasswing CVE Transparency Gap — Only One Confirmed CVE Despite 'Thousands' Claimed

VulnerabilityHigh impactCVE-2026-4747 (confirmed); thousands under embargo
Technical description
Analysis by The Register and security researcher Patrick Garrity reveals that despite Anthropic's claims of discovering thousands of zero-day vulnerabilities through Claude Mythos Preview, only one CVE — CVE-2026-4747, a remote code execution bug in FreeBSD — can be directly tied to Project Glasswing. Of 75 CVE records mentioning 'Anthropic', 35 affect Anthropic's own tools and 40 may be Glasswing finds but cannot be confirmed.
Attack vector
CVE-2026-4747 allows an unauthenticated remote attacker to gain complete control of a FreeBSD server. Additional claimed vulnerabilities include a 27-year-old OpenBSD bug, a 16-year-old FFmpeg bug, and Linux kernel privilege escalation chains, all without assigned CVEs.
Affected systems
FreeBSD (confirmed), OpenBSD, FFmpeg, Linux kernel, and vulnerabilities across every major OS and web browser (claimed but under embargo).
Mitigation
Patch FreeBSD systems against CVE-2026-4747 immediately. For the broader Glasswing disclosure, monitor Anthropic's planned public summary report expected around July 2026. Review the CSA 'Mythos-Ready' briefing for defensive posture recommendations.
Sources
The Register — Anthropic's Project Glasswing CVE Count Is Still GuessworkHelp Net Security — The Exploit Gap Is ClosingCSO Online — Behind the Mythos Hype, Glasswing Has Just One Confirmed CVE
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →