Key Takeaways

• AI is exposing thousands of hidden software vulnerabilities. Anthropic’s Mythos uncovered confirmed bugs across major operating systems and browsers, including flaws that persisted for decades.
• Memory safety vulnerabilities pose a critical infrastructure risk. These flaws are widespread in C and C++ code that underpins operating systems, firmware, and industrial control systems.
• Vulnerability discovery is outpacing patching. AI is accelerating exploit discovery beyond what organizations, especially in OT environments, can realistically remediate.
• RunSafe prevents exploitation without waiting for patches. Runtime exploit prevention stops memory-based attacks at the binary level, protecting systems even when vulnerabilities remain unpatched.

Last week, Anthropic announced Claude Mythos Preview and Project Glasswing, an AI-powered effort to identify security vulnerabilities in critical software at scale. We’re watching the security community dig into the implications.

Mythos identified real, confirmed vulnerabilities across every major operating system and every major web browser. Many were memory safety bugs. Some had been sitting undetected for over a decade. One, in OpenBSD, had been there for 27 years. 

Over 99% of what Mythos found has not yet been patched.

“This should shake anyone’s confidence that they’re safe because they’ve tested their software,” said Doug Britton, Chief Strategy Officer at RunSafe Security. “FreeBSD has been audited and fuzzed an uncountable number of times over 17 years by world-class researchers. Mythos still found a remotely exploitable bug. If that’s possible there, it’s possible anywhere.”

The fact that Anthropic specifically called out memory safety bugs is important for critical infrastructure operators to take note of. “Critical infrastructure is a lot of compiled code,” said RunSafe Security CTO Shane Fry. Compiled code is where most memory safety bugs are found.

The systems that manage power grids, industrial controllers, routers, and embedded devices are built on codebases where these bugs have been accumulating for decades. Mythos finding them efficiently, and at scale, changes the threat landscape for those environments in ways that go well beyond a typical vulnerability disclosure.

“It’s a tsunami of zero-days across critical software with more coming as the capability scales,” Doug said. “You cannot patch your way out of that timeline.”

Why Memory Safety Is the Epicenter

Memory safety vulnerabilities occupy a particular danger zone in software security. They are prevalent in the legacy codebases that run critical infrastructure and, historically, they have been extremely hard to find.

That difficulty is part of why they’ve accumulated so quietly. The codebases where these bugs live, operating systems, firmware, core system utilities, are written in C and C++. They have been audited and fuzzed repeatedly. The low-hanging fruit was picked long ago. What remains are the deeply buried flaws that require a genuine understanding of complex code to find.

To understand why this matters, it helps to understand what came before. Traditional static and dynamic analysis tools do a reasonable job of finding web vulnerabilities like SQL injection or cross-site scripting. Memory safety bugs in compiled, low-level code are a different category entirely. They require the ability to reason through complex logic and trace subtle integer overflows and pointer mismatches across thousands of lines of code. 

“With memory safety vulnerabilities, those have been traditionally really hard to find and really hard to find with an LLM in a way where it’s essentially understanding the code and being able to reason over something that is incredibly complex,” Shane said. 

Mythos is proving that large language models are now able to do so, chaining together vulnerabilities even though it wasn’t specifically trained to be able to do so.

The Volume Problem

The window for patching has always been too short, but it has been survivable. AI-assisted vulnerability discovery is collapsing it.

Joe Saunders, RunSafe’s Founder and CEO, said: “AI is accelerating vulnerability discovery and exploit development, breaking the assumption that finding a bug and fixing a bug can happen on roughly the same timeline. That assumption has never panned out, and most definitely does not anymore.”

What Mythos surfaced represents thousands of labor-years of remediation work. And that is from a single, controlled research effort. As this capability scales, the volume of confirmed, exploitable vulnerabilities will grow faster than any team can patch them.

For organizations running operational technology, industrial control systems, or embedded firmware in critical infrastructure, this is a different kind of crisis. OT environments often cannot patch on any normal timeline. A vulnerability in a power management system or a network firmware stack cannot be addressed with a Tuesday update cycle. Patching may require physical access, vendor certification, regulatory approval, or scheduled downtime windows that happen once a year.

“A lot of companies in the OT space can’t just quickly update. If someone gets a hold of Mythos and it becomes generally available, how can you update your software?” Shane said. The assumption that a fix will arrive before exploitation occurs was already fragile. It is becoming untenable.

How RunSafe Supports Software Security

If anything, the Mythos findings confirm what RunSafe has built and why we are building it.

RunSafe’s runtime exploit prevention technology prevents exploitation of memory safety vulnerabilities at the binary level, across 86 CWEs, without requiring source code access or waiting for a patch. When a memory safety bug exists in software you’re running, RunSafe works to ensure that bug cannot be turned into a working exploit, regardless of whether the upstream maintainer has acknowledged the issue, written a fix, or even been notified.

That matters now in a specific way. The bugs Mythos is finding are real, and the exploits it is constructing are functional. The majority of what has been found is not yet patched. For organizations that cannot wait for patches, that cannot update on short notice, and that cannot afford downtime, the relevant question is not “when will this be fixed?” It is “Can this be exploited against us while we wait?”

Runtime exploit prevention hardens software itself rather than racing against the clock to remove the next vulnerability.

What Comes Next

The security industry has experienced transitions before, with the rise of fuzzing, the expansion of automated scanning, and the commoditization of exploit frameworks. Each one changed the equilibrium. This one changes it at a different scale.

Joe Saunders sees this as an inflection point: “Security can’t be solely about patching every vulnerability. It has to include protecting systems while those vulnerabilities are still present.”

RunSafe makes that possible for memory-safety vulnerabilities, and that makes all the difference for critical infrastructure systems under active attack.

Learn more about how RunSafe’s automated code protection defends software from memory attacks targeting known vulnerabilities and memory-based zero days.