Public evidence that AI-assisted systems are changing vulnerability discovery economics.https://bugflation.com/en-ushttps://bugflation.com/findings/anthropic-cvd-may-2026-mythos-oss-cluster/https://bugflation.com/findings/anthropic-cvd-may-2026-mythos-oss-cluster/Anthropic's Project Glasswing CVD dashboard revealed 17 fixed, CVE/GHSA-backed open-source entries attributed to Claude Mythos Preview, including Nomad, Temporal, Mastodon, FreeRDP, jq, MapServer, wolfSSL, Gitoxide, Ghost, Craft CMS, and other projects. - Project Glasswing CVD cluster: path traversal, broken access control, SSRF, heap overflow, SQL injection, RCE, and privilege escalation, severity critical, credited system Claude Mythos Preview, attribution direct.Wed, 20 May 2026 00:00:00 GMTfindingcriticalclaude-mythosdirecthttps://bugflation.com/findings/cve-2026-42945-nginx-rift-depthfirst/https://bugflation.com/findings/cve-2026-42945-nginx-rift-depthfirst/DepthFirst says its autonomous low-level analysis platform found four confirmed NGINX memory-corruption issues, led by CVE-2026-42945, the critical NGINX Rift rewrite-module heap overflow. - NGINX memory-corruption cluster led by rewrite-module heap overflow RCE, severity critical, credited system DepthFirst, attribution self-reported.Wed, 13 May 2026 00:00:00 GMTfindingcriticaldepthfirstself-reportedhttps://bugflation.com/findings/cve-2026-46300-fragnesia-v12-linux-kernel/https://bugflation.com/findings/cve-2026-46300-fragnesia-v12-linux-kernel/V12's public PoC and write-up say Fragnesia, CVE-2026-46300, was discovered with V12 by William Bowling and the V12 team; distro trackers and kernel patch mail corroborate the Linux XFRM ESP-in-TCP local-root vulnerability. - Shared page-fragment marker loss leading to page-cache corruption and local privilege escalation, severity high, credited system V12, attribution direct.Wed, 13 May 2026 00:00:00 GMTfindinghighv12directhttps://bugflation.com/findings/palo-alto-frontier-ai-may-2026-cve-wave/https://bugflation.com/findings/palo-alto-frontier-ai-may-2026-cve-wave/Palo Alto Networks says its May 2026 Patch Wednesday wave covered 26 CVEs representing 75 issues after scanning more than 130 products with frontier AI models, including Anthropic Mythos, Claude Opus 4.7, and OpenAI GPT-5.5-Cyber. - Vendor-scale frontier-AI vulnerability-discovery wave across PAN-OS, GlobalProtect, Prisma, Cortex, WildFire, Browser, and related products, severity high, credited system Palo Alto frontier AI scan, attribution self-reported.Wed, 13 May 2026 00:00:00 GMTfindinghighpalo-alto-frontier-ai-scanself-reportedhttps://bugflation.com/findings/microsoft-mdash-may-2026-windows-cve-cohort/https://bugflation.com/findings/microsoft-mdash-may-2026-windows-cve-cohort/Microsoft says its multi-model agentic scanning harness, codename MDASH, helped researchers find 16 CVEs across Windows networking and authentication code, including four Critical remote code execution flaws. - Windows network-stack and authentication vulnerability-discovery cluster, severity critical, credited system Microsoft MDASH, attribution direct.Tue, 12 May 2026 00:00:00 GMTfindingcriticalmicrosoft-mdashdirecthttps://bugflation.com/articles/dirtyfrag-copyfail2-page-cache-bug-class/https://bugflation.com/articles/dirtyfrag-copyfail2-page-cache-bug-class/DirtyFrag and Copy Fail2 are not new AI-attributed findings, but they are important CopyFail-adjacent evidence: Linux still has dangerous seams where zero-copy networking, page-cache provenance, and in-place crypto meet.Fri, 08 May 2026 06:45:00 GMTlinuxcopyfaildirtyfragpage-cacheanalysisMounir Idrassihttps://bugflation.com/articles/public-record-is-thin-but-real/https://bugflation.com/articles/public-record-is-thin-but-real/The AI vulnerability-discovery record is still small, but direct credits now span browsers, kernels, bootloaders, crypto libraries, and OSS tooling.Fri, 08 May 2026 00:00:00 GMTmethodologyevidenceBugflation Editorialhttps://bugflation.com/findings/cve-2026-31532-linux-can-bynario/https://bugflation.com/findings/cve-2026-31532-linux-can-bynario/Bynario says its LLM-driven pipeline discovered, validated, and patched CVE-2026-31532, a Linux kernel CAN raw socket use-after-free; the upstream Linux commit includes Assisted-by: Bynario AI. - RCU teardown race causing use-after-free of per-CPU CAN raw socket state, severity high, credited system BynarIO AI, attribution direct.Thu, 07 May 2026 00:00:00 GMTfindinghighbynario-aidirecthttps://bugflation.com/findings/cve-2026-39816-apache-nifi-zeropath/https://bugflation.com/findings/cve-2026-39816-apache-nifi-zeropath/ZeroPath Research disclosed an Apache NiFi authorization flaw where users without EXECUTE_CODE can run code through TinkerpopClientService when optional graph extensions are installed. - Authorization bypass leading to server-side code execution, severity high, credited system ZeroPath AI SAST, attribution self-reported.Thu, 07 May 2026 00:00:00 GMTfindinghighzeropath-ai-sastself-reportedhttps://bugflation.com/articles/copyfail-is-the-bugflation-moment/https://bugflation.com/articles/copyfail-is-the-bugflation-moment/CVE-2026-31431 shows the bugflation pattern: expert framing plus AI-assisted subsystem review made a kernel root bug cheap to surface.Mon, 04 May 2026 12:00:00 GMTcopyfaillinuxxint-codethesisMounir Idrassihttps://bugflation.com/articles/introducing-bugflation/https://bugflation.com/articles/introducing-bugflation/Bugflation names the gap between AI-accelerated vulnerability discovery and the slower systems that validate, patch, and deploy fixes.Mon, 04 May 2026 00:00:00 GMTeditorialthesisMounir Idrassihttps://bugflation.com/articles/second-pass-audit-what-changed/https://bugflation.com/articles/second-pass-audit-what-changed/The launch audit added AI-attributed disclosures from Security Copilot, Claude, OpenAI Codex Security, AISLE, OSS-Fuzz AI, and Calif.io.Mon, 04 May 2026 00:00:00 GMTauditevidenceBugflation Editorialhttps://bugflation.com/findings/cve-2026-23918-apache-httpd-striga/https://bugflation.com/findings/cve-2026-23918-apache-httpd-striga/Striga says an open-weights model scan costing under $100 surfaced the Apache HTTP Server 2.4.66 mod_http2 double-free behind CVE-2026-23918; Apache credits Bartlomiej Dmitruk, striga.ai, and Stanislaw Strzalkowski, isec.pl, as finders. - HTTP/2 double free with possible remote code execution, severity high, credited system Striga AI, attribution self-reported.Mon, 04 May 2026 00:00:00 GMTfindinghighstriga-aiself-reportedhttps://bugflation.com/articles/patch-capacity-is-the-bottleneck/https://bugflation.com/articles/patch-capacity-is-the-bottleneck/If AI makes discovery cheaper, the scarce resource moves downstream: triage, reproduction, patch review, release engineering, and deployment.Sat, 02 May 2026 00:00:00 GMToperationsdefenseBugflation Editorialhttps://bugflation.com/articles/from-big-sleep-to-xbow/https://bugflation.com/articles/from-big-sleep-to-xbow/Big Sleep and XBOW point to different parts of the AI security stack: source-aware vulnerability research and autonomous black-box testing.Fri, 01 May 2026 00:00:00 GMTbig-sleepxbowanalysisBugflation Editorialhttps://bugflation.com/findings/cve-2026-31694-linux-fuse-bynario/https://bugflation.com/findings/cve-2026-31694-linux-fuse-bynario/The Linux fix for CVE-2026-31694, a FUSE readdir page-cache overflow, includes Assisted-by: Bynario AI; Bynario says its LLM-driven pipeline found and validated the FUSE bug, while the upstream commit also carries separate reporter credits. - Oversized FUSE dirent copied into a single page-cache page, severity high, credited system BynarIO AI, attribution direct.Fri, 01 May 2026 00:00:00 GMTfindinghighbynario-aidirecthttps://bugflation.com/findings/aisle-freebsd-april-2026-dhclient-libnv-cluster/https://bugflation.com/findings/aisle-freebsd-april-2026-dhclient-libnv-cluster/FreeBSD's April 29, 2026 advisories credit Joshua Rogers of AISLE Research Team for CVE-2026-42511, a local-network-to-root dhclient RCE, plus a second dhclient heap overflow and a libnv stack overflow. - DHCP client command injection, heap overflow, and libnv stack overflow, severity high, credited system AISLE, attribution direct.Wed, 29 Apr 2026 00:00:00 GMTfindinghighaisledirecthttps://bugflation.com/findings/cve-2026-31431-copyfail-linux-kernel/https://bugflation.com/findings/cve-2026-31431-copyfail-linux-kernel/CVE-2026-31431 is a Linux kernel AF_ALG/authencesn logic bug that gives an unprivileged local user a controlled 4-byte page-cache write and a reliable path to root on affected systems. - Incorrect resource transfer -> page-cache corruption -> local privilege escalation, severity high, credited system Xint Code, attribution direct.Wed, 29 Apr 2026 00:00:00 GMTfindinghighxint-codedirecthttps://bugflation.com/findings/xint-code-public-tracker-cve-backed-cluster/https://bugflation.com/findings/xint-code-public-tracker-cve-backed-cluster/Theori's Xint public bug tracker lists 50 Xint tracker findings as of May 5, 2026; seven non-CopyFail entries have CVE IDs across CPython, CUPS, NGINX, mruby, MariaDB, and PostgreSQL. - Memory-safety and parser vulnerabilities across open-source server and runtime projects, severity critical, credited system Xint Code, attribution self-reported.Wed, 29 Apr 2026 00:00:00 GMTfindingcriticalxint-codeself-reportedhttps://bugflation.com/findings/cve-2026-42167-proftpd-zeropath/https://bugflation.com/findings/cve-2026-42167-proftpd-zeropath/ZeroPath Research disclosed a ProFTPD mod_sql SQL injection that can lead to authentication bypass, privilege escalation, credential exfiltration, or RCE depending on configuration; ProFTPD fixed it in 1.3.9a. - SQL injection in FTP SQL logging and authentication paths, severity high, credited system ZeroPath AI SAST, attribution self-reported.Tue, 28 Apr 2026 00:00:00 GMTfindinghighzeropath-ai-sastself-reportedhttps://bugflation.com/findings/aisle-openssl-2025-2026-cve-run/https://bugflation.com/findings/aisle-openssl-2025-2026-cve-run/AISLE reports 20 OpenSSL CVEs across three coordinated releases, including all 12 January 2026 OpenSSL CVEs and five of seven April 2026 CVEs. - Cryptographic-library vulnerability cluster, severity high, credited system AISLE, attribution direct.Fri, 24 Apr 2026 00:00:00 GMTfindinghighaisledirecthttps://bugflation.com/findings/freebsd-april-2026-claude-followups/https://bugflation.com/findings/freebsd-april-2026-claude-followups/FreeBSD-SA-26:10.tty and FreeBSD-SA-26:11.amd64 credit Nicholas Carlini using Claude, Anthropic for two additional kernel security advisories after CVE-2026-4747. - Kernel use-after-free and memory-protection logic flaws, severity high, credited system Claude / Anthropic Research, attribution direct.Tue, 21 Apr 2026 00:00:00 GMTfindinghighclaude-anthropic-researchdirecthttps://bugflation.com/findings/mozilla-firefox-150-mythos-cluster/https://bugflation.com/findings/mozilla-firefox-150-mythos-cluster/Mozilla says Firefox 150 includes fixes for 271 vulnerabilities identified during an initial Claude Mythos Preview evaluation; public CVE advisories include direct Claude credit on specific entries. - Browser vulnerability cluster, severity high, credited system Claude Mythos Preview, attribution direct.Tue, 21 Apr 2026 00:00:00 GMTfindinghighclaude-mythosdirecthttps://bugflation.com/findings/zeropath-spinnaker-rce-cve-2026-cluster/https://bugflation.com/findings/zeropath-spinnaker-rce-cve-2026-cluster/ZeroPath Research says it found two critical Spinnaker RCEs, CVE-2026-32604 and CVE-2026-32613, in Clouddriver and Echo; GitHub advisories rate both 9.9 critical and Spinnaker shipped fixes. - Command injection and Spring Expression Language code injection in deployment services, severity critical, credited system ZeroPath AI SAST, attribution self-reported.Mon, 20 Apr 2026 00:00:00 GMTfindingcriticalzeropath-ai-sastself-reportedhttps://bugflation.com/findings/califio-claude-nginx-wolfssl-madbugs/https://bugflation.com/findings/califio-claude-nginx-wolfssl-madbugs/Calif.io's MADBugs work with Claude and Anthropic Research produced a high-severity NGINX DAV issue and a wolfSSL release cluster credited to Calif.io in collaboration with Claude and Anthropic Research. - Web server and cryptographic-library vulnerability cluster, severity high, credited system Claude / Anthropic Research, attribution direct.Fri, 10 Apr 2026 00:00:00 GMTfindinghighclaude-anthropic-researchdirecthttps://bugflation.com/findings/cve-2026-4747-freebsd-mythos-nfs-rce/https://bugflation.com/findings/cve-2026-4747-freebsd-mythos-nfs-rce/CVE-2026-4747 is a 17-year-old FreeBSD RPCSEC_GSS/NFS kernel RCE that Anthropic says Claude Mythos Preview fully autonomously identified and exploited. - Remote kernel memory corruption -> root code execution, severity critical, credited system Claude Mythos Preview, attribution direct.Tue, 07 Apr 2026 00:00:00 GMTfindingcriticalclaude-mythosdirecthttps://bugflation.com/findings/cve-2026-34197-activemq-claude/https://bugflation.com/findings/cve-2026-34197-activemq-claude/Horizon3.ai says Claude took the first pass on the source-code review that led to CVE-2026-34197, an Apache ActiveMQ Jolokia/JMX code-execution issue later accepted by Apache and added to CISA KEV. - Jolokia/JMX code execution through network connector configuration, severity high, credited system Claude / Anthropic Research, attribution direct.Mon, 06 Apr 2026 00:00:00 GMTfindinghighclaude-anthropic-researchdirecthttps://bugflation.com/findings/claude-firefox-148-149-cve-cluster/https://bugflation.com/findings/claude-firefox-148-149-cve-cluster/Anthropic says Claude Opus 4.6 found 22 Firefox vulnerabilities in two weeks; Mozilla advisories for Firefox 148 and 149 publicly credit researchers using Claude from Anthropic across 28 CVEs. - Browser memory-safety and sandbox-relevant vulnerability cluster, severity high, credited system Claude / Anthropic Research, attribution direct.Tue, 24 Mar 2026 00:00:00 GMTfindinghighclaude-anthropic-researchdirecthttps://bugflation.com/findings/cve-2026-32191-bing-images-command-injection/https://bugflation.com/findings/cve-2026-32191-bing-images-command-injection/CVE-2026-32191 is a critical Bing Images remote-code-execution issue that XBOW lists among autonomous findings in Microsoft software. - OS command injection -> remote code execution, severity critical, credited system XBOW, attribution self-reported.Thu, 19 Mar 2026 00:00:00 GMTfindingcriticalxbowself-reportedhttps://bugflation.com/findings/cve-2026-32194-bing-images-command-injection/https://bugflation.com/findings/cve-2026-32194-bing-images-command-injection/CVE-2026-32194 is a critical Bing Images command-injection RCE that XBOW says was found by its autonomous offensive-security system. - Command injection -> remote code execution, severity critical, credited system XBOW, attribution self-reported.Thu, 19 Mar 2026 00:00:00 GMTfindingcriticalxbowself-reportedhttps://bugflation.com/findings/openai-codex-security-oss-cve-examples/https://bugflation.com/findings/openai-codex-security-oss-cve-examples/OpenAI says Codex Security, formerly Aardvark, has produced 14 assigned CVEs in open-source projects and lists examples across GnuTLS, Gogs, Thorium, and GnuPG. - Open-source vulnerability discovery and validation cluster, severity high, credited system OpenAI Aardvark / Codex Security, attribution direct.Fri, 06 Mar 2026 00:00:00 GMTfindinghighopenai-aardvarkdirecthttps://bugflation.com/findings/cve-2026-21536-microsoft-devices-pricing/https://bugflation.com/findings/cve-2026-21536-microsoft-devices-pricing/XBOW says it was credited for CVE-2026-21536, a critical Microsoft Devices Pricing Program remote-code-execution vulnerability with a 9.8 CVSS v3.1 score. - Remote code execution, severity critical, credited system XBOW, attribution self-reported.Thu, 05 Mar 2026 00:00:00 GMTfindingcriticalxbowself-reportedhttps://bugflation.com/findings/apple-webkit-26-2-bigsleep-followups/https://bugflation.com/findings/apple-webkit-26-2-bigsleep-followups/Apple's iOS 26.2 and iPadOS 26.2 security content credits Google Big Sleep on additional WebKit issues, including CVE-2025-43535 and CVE-2025-46299. - WebKit memory handling / internal-state disclosure, severity medium, credited system Google Big Sleep, attribution direct.Fri, 09 Jan 2026 00:00:00 GMTfindingmediumgoogle-big-sleepdirecthttps://bugflation.com/findings/zeropath-ffmpeg-seven-memory-safety-fixes/https://bugflation.com/findings/zeropath-ffmpeg-seven-memory-safety-fixes/ZeroPath says its AI-assisted SAST reported seven FFmpeg memory-safety and protocol-logic bugs, including buffer overflows, invalid frees, and underflow-driven memory disclosure; the public post links to upstream FFmpeg patches. - Memory-safety and protocol logic vulnerability cluster, severity high, credited system ZeroPath AI SAST, attribution self-reported.Tue, 02 Dec 2025 00:00:00 GMTfindinghighzeropath-ai-sastself-reportedhttps://bugflation.com/findings/zeropath-sudo-exec-mailer-crackarmor/https://bugflation.com/findings/zeropath-sudo-exec-mailer-crackarmor/The sudo project credited the ZeroPath AI Security Engineer for an exec_mailer fix that made privilege-drop failures fatal and dropped group privileges; Qualys later documented the same sudo behavior as part of its CrackArmor AppArmor + Sudo + Postfix root chain. - Incomplete privilege drop in sudo mailer execution, severity high, credited system ZeroPath AI SAST, attribution direct.Sat, 08 Nov 2025 00:00:00 GMTfindinghighzeropath-ai-sastdirecthttps://bugflation.com/findings/apple-webkit-26-1-bigsleep-cluster/https://bugflation.com/findings/apple-webkit-26-1-bigsleep-cluster/Apple's Safari 26.1 security content credits Google Big Sleep for five WebKit CVEs spanning buffer overflow, state handling, memory corruption, and use-after-free issues. - WebKit memory-safety cluster, severity high, credited system Google Big Sleep, attribution direct.Mon, 03 Nov 2025 00:00:00 GMTfindinghighgoogle-big-sleepdirecthttps://bugflation.com/findings/cve-2025-43377-apple-modelio-bynario/https://bugflation.com/findings/cve-2025-43377-apple-modelio-bynario/Apple's macOS Sequoia 15.7.2 security content credits BynarIO AI for CVE-2025-43377, a Model I/O out-of-bounds read fixed with improved bounds checking. - Out-of-bounds read in Model I/O media parsing, severity medium, credited system BynarIO AI, attribution direct.Mon, 03 Nov 2025 00:00:00 GMTfindingmediumbynario-aidirecthttps://bugflation.com/findings/cve-2025-61928-better-auth-zeropath/https://bugflation.com/findings/cve-2025-61928-better-auth-zeropath/ZeroPath says its scanner found an authentication-bypass flaw in better-auth's API keys plugin that allowed unauthenticated attackers to mint or update API keys for arbitrary users. - Authentication bypass in API key creation and update routes, severity high, credited system ZeroPath AI SAST, attribution self-reported.Sun, 19 Oct 2025 00:00:00 GMTfindinghighzeropath-ai-sastself-reportedhttps://bugflation.com/findings/cve-2025-9478-chrome-angle-bigsleep/https://bugflation.com/findings/cve-2025-9478-chrome-angle-bigsleep/CVE-2025-9478 is a critical Chrome ANGLE use-after-free reported by Google Big Sleep and fixed in Chrome 139.0.7258.154/.155. - Use-after-free -> heap corruption, severity critical, credited system Google Big Sleep, attribution direct.Tue, 26 Aug 2025 00:00:00 GMTfindingcriticalgoogle-big-sleepdirecthttps://bugflation.com/findings/cve-2025-9132-chrome-v8-oob-write/https://bugflation.com/findings/cve-2025-9132-chrome-v8-oob-write/Chrome 139 fixed CVE-2025-9132, a high-severity V8 out-of-bounds write reported by Google Big Sleep. - Out-of-bounds write -> heap corruption, severity high, credited system Google Big Sleep, attribution direct.Tue, 19 Aug 2025 00:00:00 GMTfindinghighgoogle-big-sleepdirecthttps://bugflation.com/findings/cve-2025-6965-sqlite-aggregate-terms/https://bugflation.com/findings/cve-2025-6965-sqlite-aggregate-terms/CVE-2025-6965 affected SQLite before 3.50.2 and was publicly described by Google as a Big Sleep finding that helped cut off imminent exploitation. - Aggregate-term accounting -> memory corruption, severity high, credited system Google Big Sleep, attribution direct.Tue, 15 Jul 2025 00:00:00 GMTfindinghighgoogle-big-sleepdirecthttps://bugflation.com/findings/microsoft-security-copilot-bootloader-cluster/https://bugflation.com/findings/microsoft-security-copilot-bootloader-cluster/Microsoft says Security Copilot helped uncover 20 bootloader CVEs spanning GRUB2, U-Boot, and Barebox, including Secure Boot bypass-relevant GRUB2 memory-corruption flaws. - Bootloader memory corruption and Secure Boot bypass-relevant flaws, severity high, credited system Microsoft Security Copilot, attribution direct.Mon, 31 Mar 2025 00:00:00 GMTfindinghighmicrosoft-security-copilotdirecthttps://bugflation.com/findings/google-oss-fuzz-ai-openssl-cve-2024-9143/https://bugflation.com/findings/google-oss-fuzz-ai-openssl-cve-2024-9143/Google says its LLM-generated and enhanced OSS-Fuzz targets found 26 new vulnerabilities, highlighted by CVE-2024-9143 in OpenSSL. - AI-generated fuzz target vulnerability discovery, severity medium, credited system Google OSS-Fuzz AI, attribution direct.Wed, 20 Nov 2024 00:00:00 GMTfindingmediumgoogle-oss-fuzz-aidirecthttps://bugflation.com/findings/google-bigsleep-sqlite-stack-underflow/https://bugflation.com/findings/google-bigsleep-sqlite-stack-underflow/Google Project Zero and DeepMind reported Big Sleep's first public real-world finding: an exploitable SQLite memory-safety issue fixed before reaching an official release. - Stack buffer underflow, severity high, credited system Google Big Sleep, attribution direct.Fri, 01 Nov 2024 00:00:00 GMTfindinghighgoogle-big-sleepdirect