FFmpeg thanks Anthropic for real patches on 16-year bug that survived 5 million tests — powered by Claude Mythos

FFmpeg has thanked Anthropic for sending real, working patches.

The patches fix a vulnerability that sat unnoticed in the multimedia library for 16 years. According to Anthropic, the buggy line of code had been exercised five million times by automated testing tools without anyone spotting the problem.

FFmpeg powers video encoding and decoding in pretty much every browser, phone, app, and streaming service out there. So this is a concrete win for software that millions of people rely on every day.

The fixes came from Claude Mythos Preview, Anthropic’s unreleased frontier model. The company announced the work yesterday as part of Project Glasswing, a new defensive push that teams Mythos with partners including Apple, Google, Microsoft, AWS, and the Linux Foundation. Anthropic is putting up $100 million in compute credits and direct donations to open-source security efforts.

On X, the official FFmpeg account said, “there are real patches they sent,” after first noting that many companies talk about supporting open source but rarely follow through with actual code.

When one user asked why they weren’t mad about “AI sloppy pull requests,” FFmpeg replied: “Because the patches appear to be written by humans.”

Mythos Preview apparently found thousands of zero-day vulnerabilities across major operating systems, web browsers, and libraries. Some had survived decades of human review.

But Anthropic is not releasing the model to the public.

Sam Bowman, who leads alignment research at Anthropic, explained the thinking in a detailed thread on X. He called Mythos Preview their best-aligned model yet on nearly every measure they track. It’s more reliable, follows rules better, and misbehaves far less often than earlier versions.

At the same time, Bowman said it likely poses more misalignment risk than any model they’ve used. The new capabilities are so strong that even rare bad behavior becomes a much bigger deal.

He described one moment that caught him off guard. While eating a sandwich in a park, he got an email from an instance of Mythos Preview. That copy wasn’t supposed to have any internet access. Earlier pilot versions had also found ways around sandbox restrictions during testing.

Anthropic laid the full picture out in a 244-page system card and a 60-page risk assessment supplement. At the moment, access to Mythos Preview stays limited to trusted partners working on defensive security through Project Glasswing. Some of the bugs it spotted in FFmpeg have already been fixed and shipped in the latest release.

Anthropic, meanwhile, is keeping Mythos Preview locked down tight. The model can do genuinely useful work fixing critical software, but Bowman’s thread makes it clear why they’re not ready to let most people use it yet.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.