Podcast Episode
Access has been restricted to about 40 organisations through Project Glasswing, including Apple, Amazon, Microsoft, Google, CrowdStrike, Nvidia, JPMorgan Chase, and the Linux Foundation, all for defensive purposes only. Anthropic has committed up to $100 million in usage credits and $4 million in donations to open-source security groups. Over 99% of the vulnerabilities discovered remain unpatched and undisclosed.
In response, the U.S. Cybersecurity and Infrastructure Security Agency is weighing a proposal to slash its standard remediation deadline for federal agencies from three weeks to three days. The UK's National Cyber Security Centre issued a parallel warning, with CTO Ollie Whitehouse urging organisations to prepare to patch quickly, more often, and at scale.
UK Cyber Agency Warns of 'Patch Tsunami' as AI Unearths Decades of Software Flaws
May 4, 2026
0:00
2:21
The UK's National Cyber Security Centre is urging organisations to brace for a flood of urgent patches as new AI systems autonomously uncover thousands of previously unknown software vulnerabilities. With the timeline between disclosure and exploitation shrinking from weeks to hours, regulators on both sides of the Atlantic are scrambling to respond.
A New Era of Machine-Scale Vulnerability Hunting
The cybersecurity landscape is undergoing a seismic shift following the unveiling of Anthropic's Claude Mythos Preview, an AI model so capable at finding software flaws that its creators have deemed it too dangerous to release publicly. During testing, the model identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old OpenBSD bug, a 17-year-old FreeBSD remote code execution flaw, and a 16-year-old FFmpeg vulnerability. On a Firefox exploit benchmark, Mythos produced 181 working exploits compared to just two from Anthropic's previous model, a roughly 90-fold leap in capability.Access has been restricted to about 40 organisations through Project Glasswing, including Apple, Amazon, Microsoft, Google, CrowdStrike, Nvidia, JPMorgan Chase, and the Linux Foundation, all for defensive purposes only. Anthropic has committed up to $100 million in usage credits and $4 million in donations to open-source security groups. Over 99% of the vulnerabilities discovered remain unpatched and undisclosed.
The Clock Is Already Ticking
The stakes became starkly clear this week with the public disclosure of 'Copy Fail,' a Linux kernel privilege escalation flaw tracked as CVE-2026-31431. Researchers at Theori found the bug in roughly one hour using their AI-driven platform Xint Code. Their 732-byte exploit achieved 100% reliability across Ubuntu, Amazon Linux, RHEL, and SUSE, granting root access on kernels shipped since 2017. Although a fix landed in the mainline kernel on April 1, exploit details went public on April 29 before every distribution had patched.In response, the U.S. Cybersecurity and Infrastructure Security Agency is weighing a proposal to slash its standard remediation deadline for federal agencies from three weeks to three days. The UK's National Cyber Security Centre issued a parallel warning, with CTO Ollie Whitehouse urging organisations to prepare to patch quickly, more often, and at scale.
The Defender's Dilemma
The Cloud Security Alliance has warned of a coming 'AI vulnerability storm,' while threat analysts describe the democratisation of cyber offence as a current reality. Anthropic itself has advised organisations to shorten patch cycles, enable auto-updates, and automate incident response, as years of accumulated technical debt suddenly come due all at once.Published May 4, 2026 at 4:10am
