Mythos AI discovered FreeBSD vulnerability already in training data
Original: The FreeBSD vulnerability "discovered" by Mythos was already in its training data.
Why This Matters
Raises questions about AI security research claims and training data contamination
Security researchers found that Anthropic's Claude Mythos AI discovered CVE-2026-4747, a FreeBSD kernel vulnerability, that was already present in its training data. The 20-year-old stack overflow bug in FreeBSD's RPC system affects networked file systems across enterprise and academic networks.
Rival Security analyzed Anthropic's claim that Claude Mythos achieved the "first remote kernel exploit discovered by an AI" with CVE-2026-4747. The vulnerability is a classic stack overflow in FreeBSD's sys/rpc/rpcsec_gss/svc_rpcsec_gss.c file, where the svc_rpc_gss_validate() function copies credential data into a 128-byte stack buffer without bounds checking. The code has roots in Sun Microsystems' 1984 ONC RPC and NFS systems. While the AI's exploit engineering was impressive, researchers question how it recognized the vulnerability, suggesting the bug information was already in Mythos's training data rather than being genuinely discovered.