Mythos 'Discovered' a CVE in Its Training Data and That's Still Worrying (rival.security)

Anthropic's AI model, Claude Mythos, has claimed to discover and exploit its first remote kernel vulnerability, identified as CVE-2026-4747, in FreeBSD's networked file system. This vulnerability, which has been lingering for over two decades, allows for remote code execution. While the technical details reveal a classic stack overflow issue exacerbated by missing safeguards, the more pressing concern is the implications of AI's role in uncovering and potentially exploiting such flaws. The ability of AI to identify vulnerabilities that have slipped under the radar for years raises questions about the effectiveness of traditional cybersecurity practices. This incident underscores a significant challenge within the AI/ML community: as AI systems become more capable of recognizing patterns, including historical bugs, they could perpetuate old vulnerabilities into new codebases. The incident prompts a critical evaluation of the boundaries of AI's discovery capabilities, suggesting that AI may not be generating new vulnerabilities but rather recycling old ones. This not only emphasizes the urgency for updated cybersecurity measures but also highlights the need for organizations to adopt proactive, agentic defense strategies to stay ahead of potential exploits that could lead to severe operational disruptions.