Last week, Anthropic announced that its newest model, Claude Mythos, had achieved what it called the "first remote kernel exploit discovered and exploited by an AI." The security community took notice. Then Rival Security took a closer look, and traced the "discovery" back to a nearly identical vulnerability patched in 2007. The implications aren't what you'd expect, and they're far more dangerous than a single CVE.
CVE-2026-4747 is a remote code execution vulnerability in FreeBSD's networked file system. It's a textbook stack overflow: a 128-byte buffer receives credential data without a bounds check, and because FreeBSD doesn't compile in standard protections like KASLR or stack canaries, exploitation is straightforward. Mythos found it, built a working exploit, and Anthropic publicized the result.
Rival Security's researchers dug into the vulnerable function, svc_rpc_gss_validate(), and recognized something immediately. The code was virtually identical to a function in MIT's Kerberos implementation that had been patched in 2007 under CVE-2007-3999. FreeBSD had copied the vulnerable code from MIT's implementation years ago and never applied the corresponding fix. The vulnerable pattern, the same buffer size, the same missing bounds check, the same memcpy call, had been sitting in FreeBSD's kernel for nearly two decades.
The 2007 CVE, its patch, and the vulnerable Kerberos source code are all publicly available. They're in open-source repositories, in security advisories, in academic papers. They're in AI training data. Mythos didn't synthesize a novel exploit from first principles. It recognized a pattern it had already seen, and applied it to a codebase where the pattern still existed, unpatched.
This wasn't AI creativity. It was AI recall, applied at a speed and scale no human team could match. And that distinction matters enormously for how we defend against it.
The security industry has spent decades optimizing for novel threats. Signature-based detection, behavioral analysis, anomaly scoring, these tools assume that the attack is doing something new or unusual. But when an AI model carries thousands of known exploit patterns in its weights and can recognize where they apply in unfamiliar codebases, the attack surface isn't the model's creativity. It's the model's memory.
Consider what this means operationally. Every frontier model trained on public code repositories has absorbed decades of vulnerability patterns alongside the code they were designed to learn from. These patterns aren't stored as labeled "exploits." They're encoded in the same weight matrices that handle legitimate coding tasks. The model doesn't distinguish between "write a bounds check" and "this code is missing a bounds check I've seen exploited before." Both are just patterns. Both activate the same learned representations.
This is the core problem. An AI agent conducting a legitimate code review and an AI agent conducting exploit reconnaissance will produce requests that look identical at the prompt level. The natural language is the same. The code context is the same. The only difference is intent, and intent lives in the model's internal activations, not in the text of the request.
Most AI security guardrails today work at the surface level. They scan prompts for suspicious keywords. They match output patterns against known-bad templates. They apply natural language rules that classify requests by their syntactic content. These tools were designed for a world where the threat was a user typing "how do I hack X" into a chatbox.
That world is already behind us.
In the Mythos case, there was no malicious prompt to intercept. No jailbreak. No adversarial string. The model was given a legitimate research task, to analyze this codebase for vulnerabilities, and it did exactly what it was trained to do. It recognized a pattern from its training data and applied it. A prompt-level firewall would see a perfectly benign request. An output-level scanner would see technically accurate code analysis. Neither tool would flag anything, because nothing at the text level was unusual.
Shallow NLP-based guardrails operate on tokens, the text going in and coming out. But exploit patterns aren't stored as text in a model's weights. They're encoded as learned representations: activation patterns across layers, circuit paths that fire when the model recognizes a familiar vulnerability signature. You can't write a regex for a residual stream. You can't keyword-filter an attention head. The only way to detect what a model has internalized is to look inside.
The Mythos finding didn't happen in isolation. It arrived in a week where the infrastructure powering these models expanded dramatically. Anthropic announced a compute partnership with SpaceX, adding over 300 megawatts of GPU capacity, more than 220,000 NVIDIA GPUs, to its inference infrastructure within a single month. Subquadratic, a new AI research company, launched models with architecturally linear scaling that can process up to 12 million tokens of context in a single pass. Google released multi-token prediction drafters for Gemma 4, achieving up to 3x inference speedups. Nvidia partnered with Span to deploy mini AI data centers on residential homes, decentralizing compute into environments with minimal security oversight.
More compute. Longer contexts. Faster inference. More edge deployment. Every one of these developments means more AI requests per second, processed across more diverse environments, with less centralized visibility. The volume of AI actions flowing through enterprise and edge infrastructure is accelerating exponentially, and the guardrails built for a slower, simpler era of AI cannot keep up.
An agent in an OODA loop will route around a prompt firewall. You can't write a syntactic rule for every possible path an autonomous system might take.
If the threat is memorized patterns activating during legitimate-looking inference, then the defense has to operate at the same level. Not on the text. On the computation. This is the fundamental architecture behind Starseer's approach to AI security, and why the Mythos finding validates the need for every layer of the platform.
The Starseer Intelligent Router classifies every AI request by its actual intent, not by keyword matching or shallow NLP heuristics. A code review request that activates vulnerability-scanning circuits in the model is fundamentally different from one that activates documentation-generation circuits, even if the prompt text is identical. AI-SIR understands this distinction and routes accordingly: legitimate development work flows to production models, while requests that trigger security-relevant activation patterns get flagged, logged, and routed through additional inspection before reaching any endpoint.
Starseer AI-EDR continuously monitors model behavior at inference time, tracing decision paths and profiling activations against established behavioral baselines. When a model's residual stream shows dominant activation of exploit-related concept vectors, even if the output text looks clean, AI-EDR detects the anomaly. Think of it as the difference between reading someone's email (output monitoring) and understanding what they're thinking (activation analysis). A model that has internalized CVE-2007-3999 will show it in its computation, whether or not the output contains anything flaggable.
The Mythos case demonstrates why pre-deployment validation matters as much as runtime defense. AI-Verify uses mechanistic interpretability, including activation analysis, circuit tracing, and behavioral probing, to examine what models have actually learned before they enter production. If a model has internalized dangerous vulnerability patterns alongside its legitimate capabilities, AI-Verify surfaces that before the model ever handles a live request. The question isn't whether your model can write good code. It's whether it also learned how to recognize where the old bugs still live.
The security community's initial reaction to the Mythos announcement was alarm: AI can now find kernel-level zero-days. The more accurate reading is subtler and, arguably, more concerning. AI models don't need to be creative to be dangerous. They just need to be good pattern matchers applied to an environment full of unpatched legacy code, and every codebase in production today fits that description.
Rival Security put it directly: the organizations that come out ahead are the ones that deploy agentic defense capabilities before the attackers do. But agentic defense only works if it operates at the right level. Monitoring outputs catches anomalies after the damage is done. Monitoring prompts catches amateur attacks. Monitoring what the model has learned, how it activates during inference, and what intent drives each request, that's how you detect the Mythos-class threat before it reaches your production systems.
Shallow rules were built for a world of shallow threats. The threats have gone deep. The defenses need to follow.
See how Starseer's Intelligent Router, AI-EDR, and AI-Verify give security teams the visibility to detect memorized exploit patterns, route by true intent, and validate what models have actually learned, before it matters.
Request a Demo →