Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A bug that survived 27 years in OpenBSD and another that dodged 5 million fuzzer runs in FFmpeg — both found autonomously. Say what you will about AI hype, but 'better than every fuzzer ever written at finding the bug that was always there' is a genuinely new capability. Open source maintainers getting $4M and free access to this is the real headline.


Which bug?

[edit]: this bug: https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/025_s...


FFmpeg has a lot of weird and not widely used codecs that don't get a lot of scrutiny. If there's no specifics then it could be a bug in one them.


They specifically mention "H.264, H.265, and av1 codecs, along with many others" here https://red.anthropic.com/2026/mythos-preview/


this only makes things worse for ffmpeg

if someone sends you a malicious file that uses a rare codec and you open it, you will trigger this codepath that is not widely used and don't get a lot of scrutiny


A prior bug discussed here was against a file format only used by specific 1990s Lucas Arts adventure games titles. Obscure enough that discussion of the bug report itself was the only search results. Your video player is unlikely to even attempt to open that.


This was the top comment and it is suddenly flagged for no reason at all. It looks like meta-flagging, where people just want to hide replies to the comment they do not want you to read.

The amount of astroturfing and astroflagging in Anthropic threads is insane.


These issues are always found in the same kinds of projects that support an insane amount of largely unused protocols and features like ffmpeg, sudo, curl.

OpenBSD has many unexplored corners and also (irresponsibly IMO) maintains forks of other projects in base.

A motivated human could find all of these probably by writing 100% code coverage and fuzzing.

The market for these tools is very small. Good luck applying them to a release of sqlite or postfix.

I don't understand how people here are hyping this up, unless they work for AI related companies as probably 80% of them do. People have found these issues for decades without AI. Sure, you can generate fuzzing code and find one or two issues in the usual suspects. Better do it manually and understand your own code.


It’s insane. This is what - could we say it’s beyond AGI at least in cybersecurity? This is a real wake up call. On some of this stuff, the AI’s “uneven intelligence” is becoming absurdly high at its local peaks.


> could we say it’s beyond AGI at least in cybersecurity?

AGI is like the Holy Grail. Either in the Arthurian Hero's Journey sense, or in the sense of having been a myth all along.


It’s true I misspoke. What I mean is - is this then a form of localised super intelligent tool for cybersecurity ?


Limiting it to the area of cybersecurity is by definition not general.


Perhaps "ASI" is the better acronym here


Yes that’s true. I misspoke. I meant - is this a super intelligent tool then for cybersecurity?


Which S are you thinking of here?


Please stop using terms you don’t understand like “AGI” because you feel overwhelmed by something doing cool stuff. It’s exhausting.


You’re right. What I mean is - is this superhuman intelligence at cybersecurity? Or did we just build an amazing tool? But that’s kind of the whole debate


No, it's not intelligence of any kind. It's a statistical language analyzer and reconstructor. This happens to be extremely useful for targeting things like systems that consist of logic defined in structured language.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: