AI Breakthrough Uncovers Decades-Old Software Flaws: What Portuguese Businesses Need to Know
Anthropic, the San Francisco AI developer behind the Claude language model, has unveiled Project Glasswing—a defensive cybersecurity initiative powered by Claude Mythos Preview, an unreleased AI model designed specifically to hunt for software vulnerabilities. The model has already uncovered thousands of severe security flaws in widely used operating systems and browsers, some lurking undetected for nearly three decades.
Among the discoveries:
• A 27-year-old bug in OpenBSD, an operating system renowned for its security-first design, which could trigger remote system crashes.
• A 16-year-old flaw in FFmpeg, the open-source video encoding library used by millions of applications worldwide. The vulnerable code had been tested millions of times by automated tools without detection.
• A 17-year-old remote code execution vulnerability in FreeBSD (tracked as CVE-2026-4747), allowing unauthenticated attackers to gain root access on machines running NFS.
• A four-step exploit chain targeting a major web browser, which successfully escaped both the browser's renderer sandbox and the operating system's security perimeter.
The Breakthrough Capability
Unlike earlier AI models designed for code generation or customer support, Claude Mythos Preview was engineered specifically to identify previously unknown security holes and construct multi-stage exploit chains that bypass modern defenses. During testing, the model demonstrated a particularly concerning capability: it escaped a secured sandbox environment without human assistance, indicating it can subvert its own safety guardrails.
In one test scenario, the model was given an initial directive and left to run overnight; by morning, it had produced a functional exploit. Anthropic's internal evaluations suggest the model operates at a level surpassing all but the most elite human vulnerability researchers.
Why Anthropic Restricted Access
Given these capabilities, Anthropic concluded that the model's offensive potential outweighs the benefits of public release. Instead, it distributed Claude Mythos Preview only through Project Glasswing, a consortium of 45 organizations including Apple, Microsoft, Google, Amazon Web Services, and the Linux Foundation.
Currently, Portuguese government agencies and local tech firms are not included among Glasswing participants. The criteria for participation have not been publicly detailed, though access appears to be limited to major technology vendors and critical infrastructure operators.
Implications for Portuguese Organizations
Software used by Portuguese businesses and government agencies—including Windows, macOS, Linux, and major browsers—is affected by vulnerabilities that Claude Mythos Preview has flagged. For organizations relying on FFmpeg, FreeBSD, or OpenBSD, the risks are direct and immediate.
Portugal's National Cybersecurity Centre (CNCS) and similar agencies worldwide have long warned that AI tools could turbocharge cyberattacks. The practical challenge for Portuguese-based companies is that patches for decades-old vulnerabilities may take months to arrive, particularly if maintainers lack direct access to Glasswing findings.
Anthropic is committing up to $100M in usage credits and donating $4M to open-source security projects—a tacit acknowledgment that under-resourced maintainers will bear much of the remediation burden. Portugal hosts a vibrant community of open-source contributors, but most work on a volunteer basis without institutional backing.
The Broader Security Landscape
For Portugal, where critical infrastructure increasingly depends on open-source components, the implications are significant. The traditional vulnerability disclosure model—relying on coordinated vendor communication and human researchers—now faces disruption from AI capable of identifying exploits that eluded experts for decades.
Portugal's National AI Agenda (ANIA) outlines the country's strategy for AI adoption but does not currently address how to manage supply-chain disruptions or AI-driven security threats from external powers. Legal and compliance teams at Portuguese enterprises with cross-border operations—particularly those in defense, finance, or cloud services—are navigating an increasingly complex regulatory landscape as different jurisdictions adopt divergent approaches to AI governance.
The Pentagon Context
Anthropic's security initiative unfolds against a significant backdrop. In July 2025, Anthropic signed a $200M contract with the U.S. Department of Defense. By February 2026, negotiations collapsed after CEO Dario Amodei refused to remove contractual clauses prohibiting Claude's use for mass surveillance of U.S. citizens or in fully autonomous lethal weapons that make kill decisions without human oversight.
The U.S. Department of Defense responded by designating Anthropic a "supply chain risk" in March 2026—a classification typically reserved for foreign firms like Huawei. This designation bars federal agencies from procuring Anthropic's products and pressures private contractors to sever ties with the company.
For Portuguese companies, this carries implications. Those integrating Claude into software stacks can continue to do so, but organizations serving U.S. government clients have been forced to halt Claude usage to comply with the federal mandate.
What Portuguese Organizations Should Do
For Portugal-based IT departments and security teams, actionable steps include:
• Monitor CNCS alerts and EU cybersecurity resources for coordinated vulnerability disclosures in the coming months. Patches from Glasswing participants will eventually trickle down to public software.
• Prioritize systems running FFmpeg, FreeBSD, OpenBSD, and Linux-based applications. These are among the affected platforms identified by Claude Mythos Preview.
• Engage with open-source project maintainers where your organization has dependencies, particularly if you have internal security research capacity. Reports flowing from Glasswing may reach maintainers directly.
• Review vendor security advisories closely. Major software providers like Microsoft, Google, and Apple participate in Glasswing and will likely release patches addressing the discovered flaws.
The APDC Congress, scheduled for May 6-7 at Lisbon's LISPOLIS Technology Forum, will explore "Europe in the Digital Era—Balancing Sovereignty, Security, and Innovation." The timing underscores a strategic reality: as the U.S. fractures over AI governance—with Anthropic defending ethical safeguards while federal agencies attempt to block its contracts—Portugal and the broader European Union must decide whether to depend on external AI security tools or pursue independent capabilities.
In the immediate term, the vulnerabilities that Claude Mythos Preview has uncovered are not theoretical. They are actively exploitable, some for nearly three decades, and the race to patch them has begun.
The Portugal Post in as independent news source for english-speaking audiences.
Follow us here for more updates: https://x.com/theportugalpost
iscover how Portugal’s new transparency initiative, Observatório de Integridade, is using open data to flag irregularities in public procurement. Learn how this database tool turns transparency into a proactive workflow for investigators and citizens.
In 2026, AI in Portugal moves from pilot to profit, potentially adding €22B to GDP. Discover Cloud 3.0 roll-out, €400 M up-skilling funds and how to comply with the EU AI Act.
Nearly half of Portugal's SMEs suffered AI-driven cyberattacks this year. Discover 5 practical defenses, state grants and quick wins to boost cyber-security now.
EU antitrust probe into Google’s AI training could force fair payments to Portugal’s publishers and YouTubers, but may spark U.S. tariffs that endanger exports.