AI Just Found 10,000 Bugs in Big Tech. The CVEs Are Flooding In.

The Claude Mythos CVE spike — tracked by Epoch AI — is the clearest evidence yet that AI-powered vulnerability discovery has hit industrial scale. After Anthropic’s Claude Mythos Preview launched Project Glasswing in April 2026, the monthly rate of high- and critical-severity CVE disclosures from major tech companies spiked 3.5× the previous record. Epoch AI tracked roughly 1,300–1,500 critical CVEs from 21 organizations in June alone — the largest one-month surge ever documented in the National Vulnerability Database.

Anthropic partnered with Microsoft, Google, Apple, and AWS on Project Glasswing specifically to run Claude Mythos against their codebases in a controlled, defensive setting. The idea: find the vulnerabilities before attackers do. In April and May, CVE disclosures from those 21 organizations exceeded the 2025 baseline by 142% and 262%, respectively. By June, the dam broke — roughly 1,300 to 1,500 critical bugs in a single month. Epoch AI published the analysis on July 2, 2026.

The scale of what Mythos found — over 10,000 high- or critical-severity vulnerabilities across Glasswing partners — puts it in a different category from any previous automated security tool.

What the Spike Actually Means (and What It Doesn’t)

This is a disclosure spike, not an attack spike. The CVEs flooding into the database represent bugs that were discovered, patched internally, and then publicly reported — which is how responsible disclosure is supposed to work. Nothing in the data suggests these vulnerabilities were exploited in the wild.

But the sheer volume raises an uncomfortable question: if Mythos found 10,000 critical bugs in a handful of the world’s most security-conscious companies, how many remain undiscovered in less well-resourced codebases? The average software organization doesn’t have a Project Glasswing deal with Anthropic.

Epoch AI’s own Substack explicitly flagged that the causal link is not airtight — organizations may have accelerated planned disclosures for other reasons, or been catching up on a backlog. The correlation, however, is striking enough that Epoch’s analysts treated it as the primary driver.

Source: Epoch AI — Monthly high/critical CVE disclosures from 21 notable organizations, April–June 2026.

The 10,000-Bug Number Needs Context

Project Glasswing reported 10,000+ high- or critical-severity vulnerabilities found across its partner organizations. That number is cumulative from April through June. Microsoft, Google, Apple, and AWS — four of the largest and most scrutinized codebases on earth — are the confirmed partners.

Not all 10,000 have been individually disclosed yet. Responsible disclosure typically requires coordinating a fix before publishing the CVE, so the June surge likely represents bugs Glasswing found in April and May that partners have now patched. Expect the monthly CVE count to remain elevated through at least Q3 2026 as the disclosure pipeline continues to clear.

The implications for Fable 5’s guardrails for cybersecurity researchers are significant — Anthropic has been carefully managing how much autonomous capability it surfaces publicly, while simultaneously deploying that capability in controlled partnerships like Glasswing.

Why Defenders Got It First — and the Risk If Attackers Don’t

Anthropic made a deliberate choice to deploy Mythos’s most aggressive vulnerability-discovery capabilities in a defensive context before any public access. Glasswing partners signed NDAs and agreed to fix bugs before disclosure. That sequencing gave defenders a six-to-twelve-week head start over any theoretical attacker who might get the same capability later.

The question the industry is asking — quietly — is what happens when a comparable AI model is accessible to threat actors. State-sponsored groups and well-funded criminal organizations don’t need Mythos specifically; they need a model with similar autonomous code analysis capability. Several open-weight models are approaching that threshold. The agentic AI security risks that researchers flagged in early 2026 are no longer theoretical.

Claude’s approach to this problem — partner with hyperscalers, find bugs first, fix before disclosure — is the most defensible playbook available. It doesn’t solve the underlying problem; it buys time. The AI fingerprinting techniques emerging from Anthropic’s security research suggest the company is aware it needs more than just defensive patching as a long-term strategy.

💡 Our Take: AI has crossed a threshold: it no longer just finds bugs faster than humans — it’s fast enough to overwhelm the global disclosure pipeline. A 3.5× spike in critical CVEs isn’t just a security statistic; it’s evidence that the gap between human-speed auditing and AI-speed vulnerability discovery has become unbridgeable. The question isn’t whether AI will transform cybersecurity — it already has. The question is whether defenders or attackers will have access to the same tools six months from now.

Frequently Asked Questions

What is Claude Mythos and Project Glasswing?

Claude Mythos is Anthropic’s most capable frontier AI model, unveiled in April 2026. Project Glasswing is a defensive cybersecurity partnership where Mythos autonomously scans the codebases of Microsoft, Google, Apple, and AWS for high- and critical-severity vulnerabilities before they can be exploited.

How many CVEs did Claude Mythos find?

Project Glasswing reported discovering over 10,000 high- or critical-severity vulnerabilities across its partner organizations as of July 2026. In June alone, 21 major organizations disclosed approximately 1,300–1,500 critical CVEs — roughly 3.5× the pre-Mythos monthly record, according to Epoch AI data.

Were any of these vulnerabilities exploited?

No. The CVE surge represents bugs that were discovered, patched internally, and then publicly disclosed through responsible disclosure processes. Epoch AI’s analysis found no evidence that any of the Glasswing-discovered vulnerabilities were exploited in the wild before disclosure.

Is the CVE spike definitely caused by Claude Mythos?

Epoch AI treats Mythos and Project Glasswing as the primary driver based on the timing correlation — the spike began precisely when Glasswing partner organizations would have been processing Mythos’s April discovery backlog. However, Epoch’s own analysts note the causal link is correlational, and organizations may have had other reasons to accelerate disclosures.

What does this mean for companies not in Project Glasswing?

It raises a significant question about the security posture of organizations without access to AI-assisted vulnerability discovery. If Glasswing found 10,000 critical bugs in four of the world’s most security-focused companies, the implication is that less well-resourced codebases may harbor comparable vulnerabilities with no equivalent detection tool deployed.

The June CVE surge is the most concrete evidence yet that frontier AI is changing the economics of vulnerability discovery — not just incrementally, but by an order of magnitude. Whether that acceleration favors defenders or attackers will depend on who gets access to comparable capabilities next.

Last Updated: July 2026

Share.

I am a software engineer, I have a passion for working with cutting-edge technologies and staying up-to-date with the latest developments in the field. In my articles, I share my knowledge and insights on a range of topics, including business software, how to set up tools, and the latest trends in the tech industry.

Comments are closed.

Exit mobile version