AI Finds 27-Year-Old OpenBSD, Linux Kernel Flaws

A new artificial intelligence model from Anthropic has exposed a 27-year-old vulnerability in the OpenBSD operating system, capable of remotely crashing affected machines simply by initiating a connection. The system, called Mythos, was not designed for hacking, but its reasoning capabilities have unearthed thousands of previously unknown flaws across major operating systems and browsers, bypassing both human review and millions of automated tests. Mythos autonomously chained together multiple Linux kernel vulnerabilities, escalating access from ordinary user to complete control of a machine. “This is a step change,” said Dave McGinnis, Vice President of Global Managed Security Services at IBM. “The people who wrote that code didn’t know those things were there.”

Mythos AI Discovers Decades-Old Zero-Day Vulnerabilities

This discovery is not simply about finding bugs; it’s about the speed and method by which they were revealed, prompting a reevaluation of current security protocols. A striking finding was a 27-year-old vulnerability within OpenBSD, a system renowned for its robust security features, which would allow remote crashing of affected machines through a simple connection. This poses a significant challenge for open-source software, which often relies on smaller teams with limited security resources. Rob Thomas, Senior Vice President of Software and Chief Commercial Officer at IBM, argues that AI’s emergence as critical infrastructure strengthens the case for open development, as security improves through scrutiny rather than concealment. Anthropic has committed USD 2.5 million to Alpha-Omega and the Open Source Security Foundation, alongside USD 1.5 million to the Apache Software Foundation, to bolster open-source security efforts, recognizing that “If the attackers aren’t humans anymore, the defenders can’t be humans anymore either,” according to McGinnis.

Vulnerability Chaining & Binary Code Analysis Capabilities

Current automated vulnerability discovery relies heavily on static and dynamic analysis tools, alongside dedicated human security researchers, yet these methods are increasingly challenged by the sophistication of modern threats. Existing automated systems typically excel at identifying individual flaws, but struggle to correlate them into complex attack chains; a limitation Mythos appears to overcome. Anthropic’s new AI model demonstrates a capacity for “vulnerability chaining,” connecting seemingly minor software flaws into a cohesive attack capable of achieving significant compromise, such as escalating from standard user access to complete control of a machine. This ability distinguishes it from previous systems and highlights a shift in the threat model. The finding underscores that even mature, well-maintained codebases are not immune to long-hidden flaws when subjected to novel analysis techniques.

Beyond identifying thousands of previously unknown vulnerabilities across major operating systems and browsers, Mythos possesses the ability to analyze compiled binary code without requiring access to the original source code. This binary code analysis capability is especially impactful for legacy systems where source code is lost or unavailable, effectively expanding the attack surface to previously unreachable targets.

Open Source Security & Anthropic’s USD 4 Million Investment

Anthropic’s Mythos AI is prompting a significant reassessment of open-source security protocols, underscored by a USD 4 million investment aimed at bolstering vulnerable foundations. While the model’s primary function isn’t offensive, its capacity to uncover previously unknown flaws is reshaping the threat landscape, particularly for projects reliant on community contributions and limited resources. The AI’s ability to identify these weaknesses and chain them together, escalating access from standard user to complete system control, represents a departure from conventional automated security testing. “It’s not like they created the bugs.” This funding intends to empower maintainers to respond to the evolving threat environment, recognizing that the sheer scale of open-source infrastructure presents an expansive attack surface.