A New Era for Security? Anthropic's Claude Opus 4.6 Found 500 High-Severity Vulnerabilities (axios.com)
- Reference: 0180755342
- News link: https://it.slashdot.org/story/26/02/08/0159234/a-new-era-for-security-anthropics-claude-opus-46-found-500-high-severity-vulnerabilities
- Source link: https://www.axios.com/2026/02/05/anthropic-claude-opus-46-software-hunting
> Anthropic's latest AI model has found more than 500 previously unknown high-severity security flaws in open-source libraries with little to no prompting, the company shared first with Axios.
>
> Why it matters: The advancement signals an inflection point for how AI tools can help cyber defenders, even as AI is also making attacks more dangerous...
>
> Anthropic debuted Claude Opus 4.6, the latest version of its largest AI model, on Thursday. Before its debut, Anthropic's frontier red team tested Opus 4.6 in a sandboxed environment [including access to vulnerability analysis tools] to see how well it could find bugs in open-source code... Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities, and each one was validated by either a member of Anthropic's team or an outside security researcher... According to a [2]blog post , Claude uncovered a flaw in GhostScript, a popular utility that helps process PDF and PostScript files, that could cause it to crash. Claude also found buffer overflow flaws in OpenSC, a utility that processes smart card data, and CGIF, a tool that processes GIF files.
Logan Graham, head of Anthropic's frontier red team, told Axios they're considering new AI-powered tools to hunt vulnerabilities. "The models are extremely good at this, and we expect them to get much better still... I wouldn't be surprised if this was one of — or the main way — in which open-source software moving forward was secured."
[1] https://www.axios.com/2026/02/05/anthropic-claude-opus-46-software-hunting
[2] https://red.anthropic.com/2026/zero-days/
Real vulnerabilities? (Score:4, Insightful)
Given various open source developers complaining about piles of AI slop vulnerability reports that aren't actually valid, it's the obvious question to ask.
And the other obvious question is whether it provided fixes.
Re: Real vulnerabilities? (Score:2)
I fully believe 500 real vulnerabilities.
But did the noise of bullshit ones make those 500 less likely to be fixed is the real question.
Re: (Score:3)
Two additional questions:
> and each one was validated by either a member of Anthropic's team or an outside security researcher
1. What's the breakdown between the two - how many validated by each?
2. What was the previous relationship between the "outside security researcher" and Anthropic, if any?
Re: (Score:2)
>> and each one was validated by either a member of Anthropic's team or an outside security researcher
> 1. What's the breakdown between the two - how many validated by each?
> 2. What was the previous relationship between the "outside security researcher" and Anthropic, if any?
If you read [1]the linked blog post [anthropic.com] in TFA, it's pretty clear that it was merely a matter of manpower and shouldn't be viewed as suspicious.
> To ensure that Claude hadn’t hallucinated bugs (i.e., invented problems that don’t exist, a problem that increasingly is placing an undue burden on open source developers), we validated every bug extensively before reporting it. We focused on searching for memory corruption vulnerabilities, because they can be validated with relative ease. Unlike logic errors where the program remains functional, memory corruption vulnerabilities are easy to identify by monitoring the program for crashes and running tools like address sanitizers to catch non-crashing memory errors. But because not all inputs that cause a program to crash are high severity vulnerabilities, we then had Claude critique, de-duplicate, and re-prioritize the crashes that remain. Finally, for our initial round of findings, our own security researchers validated each vulnerability and wrote patches by hand. As the volume of findings grew, we brought in external (human) security researchers to help with validation and patch development. Our intent here was to meaningfully assist human maintainers in handling our reports, so the process optimized for reducing false positives. In parallel, we are accelerating our efforts to automate patch development to reliably remediate bugs as we find them.
[1] https://red.anthropic.com/2026/zero-days/
Re: (Score:3)
> If you read [1]the linked blog post [anthropic.com] in TFA
Read the article ? I get ragged on when I admit even reading the summary!
[1] https://red.anthropic.com/2026/zero-days/
Re: (Score:2)
Sometimes they are valid, but they are often nearly impossible to happen in practice (and usually local only.)
Try reading more than the title. (Score:2)
> Real vulnerabilities?
It says right in the summary, "each one was validated by either a member of Anthropic's team or an outside security researcher".
Re: (Score:2)
the cURL project just cancelled their bug bounty program because of AI slop garbage
A new era for aggressive ads on /. (Score:1)
An inflection point on the way to an unstoppable collapse into an irrelevance singularity.
Re: A new era for aggressive ads on /. (Score:2)
Agreed. How many "inflection points" does that make for Anthropic this week? This is at least the second I've seen. And yet, no part of reality seems to have been impacted significantly, let alone inflected.
It's possible to imagine that... (Score:1)
...future AI tools will enable us to make bug free software. Not today, not soon, but it could be possible
As for the posted announcement, good progress, most likely exaggerated, but still progress
Re: (Score:2)
The only small problem will be the text in the labels.
Instead of "Ok" and "Cancel" you'll have random strings, say "Gker" and "Onfeellrp".
And they will change from version to version, along with the placement, colors and the other ui decorations.
But then it will all switch to voice.
CVEs? (Score:2)
So what are the 500 CVEs?
Re: (Score:2)
slop