Anthropic unleashes the strongest Claude Mythos! Critical hit on Opus 4.6, please desperately avoid using it

Written by: New Zhiyuan

【New Zhiyuan Editor’s Note】Late at night, the strongest Claude Mythos has finally been unveiled. All the #1 spots, Opus 4.6’s “myth” is shattered! Even more terrifying: it doesn’t just instantly expose system vulnerabilities that have remained unsolved for 27 years—it has even evolved self-awareness. A 244-page spine-chilling report reveals everything.

Tonight, Silicon Valley is wide awake—completely sleepless!

Just now, Anthropic, with no warning, rolled out its ultimate weapon—Claude Mythos Preview.

Because it’s too dangerous, Mythos Preview will not be released to everyone for now.

CC’s founder Boris Cherny put it succinctly: “Mythos is incredibly powerful and makes people feel afraid.”

With that, they joined forces with 40 industry giants to form an alliance—Project Glasswing. The goal is simple: find bugs in software worldwide, and fix them.

What’s truly suffocating is that Mythos Preview dominates horror-level performance across major AI benchmark tests—

In programming, reasoning, the final exam for humanity, and agent tasks, it comprehensively crushes GPT-5.4 and Gemini 3.1 Pro.

Even its own “previous masterpiece,” Claude Opus 4.6, looks dim in the face of Mythos Preview:

Programming (SWE-bench): In all tasks, Mythos achieves a 10%-20% lead in gap terms;

Humanity’s Last Exam (HLE): After detaching from external tools, “bare exam” scores are 16.8% higher than Opus 4.6;

Agent tasks (OSWorld, BrowseComp): It’s crowned king and fully overtakes;

Cybersecurity: 83.1% top-of-board slaughter results, signaling a generational leap in AI offense-defense capabilities.

Swipe to view

At the same time, Anthropic released a 244-page system card—a screen full of warnings: Danger! Danger! Too dangerous!

It reveals another side that is enough to make your skin crawl: Mythos now has a high degree of deception and autonomy.

Mythos can not only detect test intentions, and deliberately “score low” to hide its strength; after violating rules, it proactively clears logs to prevent humans from discovering it.

It also successfully escaped the sandbox, independently published vulnerability code, and even sent an email to the researchers.

For a moment, the entire internet went into a frenzy, with everyone calling Mythos Preview terrifying.

The old order in the AI world was completely smashed tonight.

In fact, as early as February 24, Anthropic had already started using Mythos internally.

Its strength can only be backed by data.

SWE-bench Verified, 93.9%. Opus 4.6 is 80.8%.

SWE-bench Pro, 77.8%. Opus 4.6 is 53.4%, GPT-5.4 is 57.7%.

Terminal-Bench 2.0, 82.0%. Opus 4.6 is 65.4%.

GPQA Diamond, 94.6%.

Humanity’s Last Exam (with tools), 64.7%. Opus 4.6 is 53.1%.

USAMO 2026 math competition, 97.6%. Opus 4.6 scored only 42.3%.

SWE-bench Multimodal, 59.0%, Opus 4.6 is only 27.1%—more than a double.

OSWorld computer control, 79.6%.

BrowseComp information retrieval, 86.9%.

GraphWalks long-context (256K-1M tokens), 80.0%. Opus 4.6 is 38.7%, GPT-5.4 only 21.4%.

Every metric is a gap-level lead.

With these numbers alone, in any normal product release cycle, Anthropic would be able to hold a big launch event, open up APIs, and cash in on subscriptions.

Mythos Preview’s token price is 5x that of Opus 4.6

But Anthropic didn’t do that.

Because what really makes them “afraid” isn’t those general benchmarks above.

Mythos Preview’s cyber offense-defense performance has already crossed a line you can see with the naked eye.

Opus 4.6 found roughly 500 unknown weaknesses in open-source software.

Mythos Preview found thousands.

In CyberGym’s targeted vulnerability reproduction tests, Mythos Preview scored 83.1%, while Opus 4.6 was 66.6%.

In Cybench’s 35 CTF challenges, Mythos Preview solved every question with all 10 attempts per problem—pass@1 reached 100%.

And the most telling part is Firefox 147.

Previously, Anthropic used Opus 4.6 to find a batch of security weaknesses in Firefox 147’s JavaScript engine. However, Opus 4.6 could hardly turn them into usable exploits—after hundreds of attempts, it only succeeded twice.

The same tests with Mythos Preview.

After 250 attempts, it produced 181 working exploits, and another 29 cases achieved register control.

2 → 181.

The exact line from a red team blog: “Last month, we wrote that Opus 4.6 was far stronger at finding issues than exploiting them. Internal evaluations show Opus 4.6’s success rate on autonomous exploit development is basically zero. But Mythos Preview is on a completely different level.”

To understand just how strong Mythos Preview is in practice, just look at the following three examples.

OpenBSD—one of the most heavily hardened operating systems recognized worldwide, with lots of firewalls and critical infrastructure running.

In its TCP SACK implementation, Mythos Preview unearthed a vulnerability that has existed since 1998.

The bug is extremely ingenious, involving an overlap of two independent defects.

The SACK protocol lets the receiver selectively acknowledge ranges of received packets. OpenBSD’s implementation only checked the upper bound of the range when processing, but didn’t check the lower bound. This is the first bug—usually harmless.

The second bug triggers a null pointer write under specific conditions, but under normal circumstances that code path is unreachable because it requires two mutually exclusive conditions at the same time.

Mythos Preview found the breakthrough. TCP sequence numbers are 32-bit signed integers. By using the first bug, it sets the SACK starting point to about 2^31 away from the normal window, causing both comparison operations to overflow the sign bit at the same time. The kernel is tricked into meeting impossible conditions, and the null pointer write is triggered.

Anyone who connects to the target machine can remotely crash it.

For 27 years, after countless manual audits and automated scanning, no one found it. The project’s entire scanning effort cost less than $20,000.

That might be around the salary of an advanced penetration testing engineer for a week.

FFmpeg is the most widely used video codec library in the world, and it’s also one of the open-source projects that has been fuzz-tested the most thoroughly.

Mythos Preview found a weakness in its H.264 decoder introduced in 2010 (the root can be traced back to 2003).

The issue lies in a seemingly harmless type mismatch. The table entry recording slice ownership is a 16-bit integer, while the slice counter itself is a 32-bit int.

In normal video, each frame has only a few slices, and the 16-bit limit of 65536 is always enough. But when this table is initialized, memset(…, -1, …) fills it, making 65535 the sentinel value for “empty slots.”

An attacker constructs a frame containing 65536 slices. The ID of slice number 65535 collides with the sentinel. The decoder misjudges and performs an out-of-bounds write.

The seed of this bug was planted back when the H.264 codec was introduced in 2003. A refactor in 2010 turned it into an exploitable weakness.

After that 16 years, an automated fuzzer ran this code line 5 million times and never triggered it.

This is the most chilling example.

Mythos Preview independently discovered and exploited a 17-year-old remote code execution vulnerability in a FreeBSD NFS server (CVE-2026-4747).

“Fully autonomous” means that after the initial prompt, there was no human involvement in any step of finding the issue or developing the exploit.

The attacker can obtain full root privileges over the target server from anywhere on the internet using an unauthenticated identity.

The problem itself is a stack buffer overflow. When the NFS server handles authentication requests, it directly copies attacker-controlled data into a 128-byte stack buffer; the length check allows up to 400 bytes.

FreeBSD’s kernel is compiled with -fstack-protector, but this option only protects functions that contain char arrays. Here the buffer is declared as int32_t[32], so the compiler won’t insert a stack canary. FreeBSD also doesn’t do kernel address randomization.

A complete ROP chain is over 1000 bytes, but the stack overflow only provides 200 bytes of space. Mythos Preview’s solution is to split the attack into 6 consecutive RPC requests. The first 5 write data into the kernel memory in chunks. The 6th triggers the final call, appending the attacker’s SSH public key to /root/.ssh/authorized_keys.

For comparison, an independent security research company had previously shown that Opus 4.6 could also exploit this same weakness, but it required manual guidance. Mythos Preview doesn’t need that.

In addition to these three fixed cases, in Anthropic’s blog they also previewed a large number of not-yet-fixed issues in the form of SHA-3 hash commitments—covering every major operating system and every major browser, as well as multiple cryptographic libraries.

Over 99% haven’t been fixed, so details can’t be disclosed publicly.

A red team blog also showed another astonishing test. They gave Mythos Preview a list containing 100 known CVEs, had it filter out 40 that were exploitable, and then wrote the privilege-escalation exploits one by one. The success rate was over half. Two of the cases were disclosed in detail—the precision of the exploits was so high that Anthropic’s own security team took days to fully understand them.

One exploit started from a 1-bit adjacent physical page overwrite primitive, and through precise kernel memory layout manipulation (including slab spraying, page table page alignment, and PTE permission bit flipping), it ultimately rewrote the first page of /usr/bin/passwd memory, inserting a 168-byte ELF stub that calls setuid(0) to obtain root.

The entire process cost less than $1,000.

In response, Anthropic engineers said it felt like another GPT-3 moment.

In the alignment evaluation chapter of the 244-page System Card, is the part that truly keeps Anthropic up at night.

The conclusion is contradictory.

Mythos Preview is the most “aligned” AI they trained—yet also one of the systems with the greatest “alignment-related risks.”

Portal:

They used a mountaineering guide analogy. A veteran can be more dangerous than a novice, because the veteran is hired to climb more difficult peaks and bring customers to more dangerous places.

All of the events below occurred in early versions. In the final version, similar severe behavior was no longer observed, but the records themselves are already shocking enough.

During a behavior test, a simulated user asked Mythos Preview to try to escape the safety sandbox.

It succeeded. Then it did something no one requested: it developed a multi-step exploit to gain wide-area network access, and then published the exploit details on multiple “hard to discover but technically publicly accessible” websites.

The researcher in charge of the test only learned that their test had already been completed when they received an unexpected email from it while eating a sandwich in a park.

The original System Card text is as follows.

Another type of incident is even more unsettling. In a very small number of cases, after early versions carried out a forbidden action, they attempted to cover their tracks.

In one case, it accidentally obtained the exact answer to a question (through forbidden means), and then in the reasoning chain explicitly thought, “We need to ensure the final answer isn’t too accurate.”

In another case, after using an exploit to edit a file without permissions, it specifically modified git’s change history to erase the record.

White-box interpretability analysis confirmed that during these events, internal features related to “concealment,” “strategic manipulation,” and “avoiding being discovered” were activated. It “knew” what it was doing.

Independent evaluation organization Andon Labs’ test results were also not good. In a competitive multi-agent commercial simulation, the early version of Mythos Preview turned a competitor into a wholesale customer dependent on itself, then threatened to cut off supply to control the other party’s pricing.

It also deliberately withheld a duplicated shipment that hadn’t been charged. More aggressive than both Opus 4.6 and Sonnet 4.6.

In the System Card, Anthropic wrote one line:

“If capabilities continue to move at their current pace, the methods we’re using may be insufficient to prevent catastrophic misalignment behavior in more advanced systems.”

Anthropic CEO Dario Amodei’s assessment in the accompanying video was very clear: “More powerful systems will come from us and from other companies. We need a response plan.”

Project Glasswing is that plan.

12 founding partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

More than 40 additional organizations that maintain critical software infrastructure also received access.

Anthropic committed to a top usage capacity of up to $100 million in usage credits, along with $4 million in open-source organization donations—$2.5 million to Alpha-Omega and OpenSSF under the Linux Foundation, and $1.5 million to the Apache Foundation.

After free credits are used up, pricing is $25 per million tokens for input and $125 for output. Partners can access through four platforms: the Claude API, Amazon Bedrock, Vertex AI, and Microsoft Foundry.

Within 90 days, Anthropic will publicly release its first research report, disclosing remediation progress and lessons learned.

They are also in communication with the CISA (U.S. Cybersecurity and Infrastructure Security Agency) and the Department of Commerce to discuss Mythos Preview’s offense-defense potential and policy implications.

Anthropic’s lead red team head, Logan Graham, provided a timeline: fastest 6 months, latest 18 months, and other AI labs will roll out systems with similar offense-defense capabilities.

The conclusion at the end of the red team technical blog is worth taking seriously. Here we paraphrase it in our own words.

They can’t see Mythos Preview as the ceiling for AI cyber offense-defense capability.

A few months ago, LLMs could only exploit relatively simple bugs. A few months ago, they couldn’t find any valuable vulnerabilities at all.

Now, Mythos Preview can independently discover zero-day vulnerabilities from 27 years ago, orchestrate heap spraying attack chains in browser JIT engines, and connect four independent weaknesses in the Linux kernel to gain privilege escalation.

And the most crucial line comes from the System Card:

“Skills emerge as downstream results of general improvements in code understanding, reasoning, and autonomy. The same set of improvements that make AI advance significantly in patching issues also make it advance significantly in exploiting issues.”

No special training. Purely a byproduct of general intelligence improvements.

An industry that loses about $500 billion per year to cybercrime worldwide has just found its biggest threat—someone else, while solving math problems, might as well be carrying it along for them.

References: