Anthropic's Project Glasswing used Claude Mythos Preview to find a 16-year-old vulnerability in the H.264 codec of FFmpeg, the open-source multimedia framework that powers virtually every video and audio application from Adobe Premiere Pro to ComfyUI. Automated testing tools had hit the vulnerable code path five million times without ever catching the problem.

What Happened

Project Glasswing launched on April 7, 2026 as a cross-industry cybersecurity initiative bringing together 12 major technology companies to use AI for defensive security. The coalition includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, with 40-plus additional organizations maintaining critical infrastructure also receiving access.

The initiative is powered by Claude Mythos Preview, the frontier model that first surfaced in a leak last month. Beyond the FFmpeg flaw, Mythos found a 27-year-old vulnerability in OpenBSD that could remotely crash any machine running it, and autonomously chained together several Linux kernel vulnerabilities to achieve privilege escalation.

Why It Matters

FFmpeg is not just any open-source project. It is the backbone of the creative tools ecosystem. Video editors, AI video generators, audio processing pipelines, streaming platforms, and media conversion tools all rely on FFmpeg for encoding and decoding. A vulnerability that persisted for 16 years in code tested millions of times represents a security exposure across the entire creative software stack.

On the CyberGym vulnerability reproduction benchmark, Mythos Preview scored 83.1% compared to Claude Opus 4.6 at 66.6%. Anthropic is committing $100 million in Mythos Preview usage credits plus $2.5 million to the Linux Foundation Alpha-Omega and OpenSSF projects and $1.5 million to the Apache Software Foundation.

Key Details

Mythos Preview is priced at $25 per million input tokens and $125 per million output tokens following the research preview period. It is available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry, but only to approved partners working on defensive cybersecurity. Anthropic has stated there are no plans for a general public release. The Mythos system card provides additional technical details and safety evaluations.

What to Do Next

Creative professionals running local video or audio processing pipelines should watch for FFmpeg security updates in the coming weeks as responsible disclosure timelines complete. Anyone using FFmpeg-dependent tools should ensure they are running the latest stable release. For a deeper look at what the Mythos model means for creative AI workflows, read our full analysis.