Stenberg: Mythos finds a curl vulnerability [LWN.net]

Daniel Stenberg has published a lengthy article on his thoughts on Anthropic's Mythos, which the company decided was too dangerous for wide public release.

My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.

This is just one source code repository and maybe it is much better on other things. I can only tell and comment on what it found here.

But allow me to highlight and reiterate what I have said before: AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past. All modern AI models are good at this now. Anyone with time and some experimental spirits can find security problems now. The high quality chaos is real.

to post comments

Now to test the tests

Posted May 11, 2026 15:47 UTC (Mon) by epa (subscriber, #39769) [Link] (20 responses)

The next step in applying AI could be code sabotage. Get the agent to insert a sneaky hidden bug into the code and make sure that the existing test infrastructure catches it. I am talking more about subtle security-related bugs that don't cause an obvious behaviour change and so might not be caught by ordinary unit tests. The branch with the deliberate bug doesn't get merged to master, of course.

Now to test the tests

Posted May 11, 2026 16:50 UTC (Mon) by hailfinger (subscriber, #76962) [Link]

We already had something similar a few years ago. It's called the the Underhanded C Contest: https://www.underhanded-c.org/

Now to test the tests

Posted May 11, 2026 18:34 UTC (Mon) by jd (guest, #26381) [Link] (17 responses)

This may well spur people into introducing contract-based programming into C and C++.

In languages like SPARK, you specify at the head of a function what must be true at the start and end of the function, and the compiler verifies that these constraints will always hold.

It's not perfect, you can write non-secure code in SPARK, but beyond advising and assisting static checkers, you cannot make code impervious to skillful corruption. I'm going to say that probably about the best you can do is place constraints on the damage that can be done.

Now to test the tests

Posted May 11, 2026 22:10 UTC (Mon) by jmalcolm (subscriber, #8876) [Link] (1 responses)

Supply-chain attacks will always be a thing of course. But the broader problem is incompetence (and I include myself). It is the mistakes that we really need to catch. Anything that helps with that should be seen as progress.

It is ok if the protections can be circumvented as long as this is not easily done by accident.

Now to test the tests

Posted May 12, 2026 2:23 UTC (Tue) by wtarreau (subscriber, #51152) [Link]

> It is ok if the protections can be circumvented as long as this is not easily done by accident.

I agree. I consider AI-based reviews the same way as human reviews, and I tell the bots to trust comments. In short, if the human does something that smells bad, it must be explained in a comment. If something smelly is done and not explained in a comment, it's a problem. If a comment doesn't match what is done, it's a problem as well. Let's trust the intent and catch the mistakes that make the implementation deviate from the intent.

Now to test the tests

Posted May 12, 2026 2:28 UTC (Tue) by azumanga (subscriber, #90158) [Link] (14 responses)

The problem with C++, is you know the C++ committee is going to say that it's undefined behaviour to violate the contract.

There are so many places where in recent years C++ could have reasonably reduced UB, and instead they increased it. Like they introduced std::optional to reduce the need for null pointers, then make '*v' on an empty optional be undefined behaviour -- so they are *worse* than a C pointer, because usually reading a null pointer crashes your program, but reading an empty std::optional doesn't, it just reads junk memory!

Now to test the tests

Posted May 12, 2026 7:23 UTC (Tue) by Sesse (subscriber, #53779) [Link] (9 responses)

Dereferencing a NULL pointer in C is UB.

Now to test the tests

Posted May 12, 2026 9:13 UTC (Tue) by azumanga (subscriber, #90158) [Link]

You are right, it is, and sometimes compilers do something clever, but I find, in practice, it leads to my program crashing out with a segfault, while dereferencing an empty std::optional never ends up with a crash, just garbage.

Now to test the tests

Posted May 12, 2026 13:28 UTC (Tue) by pizza (subscriber, #46) [Link] (6 responses)

> Dereferencing a NULL pointer in C is UB.

Meanwhile, there are still non-trivial numbers of systems out there (including current production) that map RAM at address 0, and may expect code to start executing from there.

Fun times.

Now to test the tests

Posted May 12, 2026 14:32 UTC (Tue) by zdzichu (subscriber, #17118) [Link] (5 responses)

But NULL doesn't have to be equal to 0.

Now to test the tests

Posted May 12, 2026 16:32 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

IIRC, it has to compare with 0 as `true`, but yes, its bit pattern need not be the same as 0.

Now to test the tests

Posted May 12, 2026 16:33 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link] (3 responses)

> But NULL doesn't have to be equal to 0.

Yes, it does. See https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3220.pdf Section 6.3.2.3 (3).

> An integer constant expression with the value 0, such an expression cast to type void *, or the predefined constant nullptr is called a null pointer constant.

Now to test the tests

Posted May 12, 2026 21:36 UTC (Tue) by willy (subscriber, #9762) [Link] (2 responses)

I'm pretty sure what they meant was "NULL does not have to have the representation of "all bits zero"". I've never programmed on such a machine, but it would be interesting to find out how much code assumes that memset(p, 0, n) will initialise a pointer in that block of memory to NULL.

ObPlug: Linux contains memset_p(ptr, v, count) which will initialise an array of pointers with the value "v", so will work with a NULL that's not all-bits-zero. But that's not going to help you if you have a struct which contains a mixture of data and pointers.

I assume but have not verified that initializing a struct with, eg struct foo f = {}; will initialize pointers in f to NULL and not all-zero-bits.

Now to test the tests

Posted May 14, 2026 15:54 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (1 responses)

> I assume but have not verified that initializing a struct with, eg struct foo f = {}; will initialize pointers in f to NULL and not all-zero-bits.

Is the standard worded as initializing to zero-bits or is it worded as initializing all members to the value zero?

Now to test the tests

Posted May 18, 2026 15:25 UTC (Mon) by neggles (subscriber, #153254) [Link]

An object is empty-initialized if it is explicitly initialized from initializer = {}. (since C23)

In some cases, an object is empty-initialized if it is not initialized explicitly, that is:

- pointers are initialized to null pointer values of their types

...

Seem's it's "whatever null is", so doesn't have to be bitwise zero

Now to test the tests

Posted May 14, 2026 7:25 UTC (Thu) by anton (subscriber, #25547) [Link]

At least in this case gcc offers -fno-delete-null-pointer-checks to define it.

C++ 26 contracts

Posted May 12, 2026 9:11 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (3 responses)

C++ 26 landed a Contracts MVP. It does have a bunch of nasty holes where you can end up with Undefined Behaviour or in some cases IFNDR which is much worse

Undefined Behaviour is a behaviour, so, we can avoid codepaths in which that Behaviour happens and now there's no UB, e.g. if your only UB is your Print subroutine accidentally has a use-after-free bug you can tell operators "Never press print" and that's an actual real world workaround for the UB, there is now no use-after-free, so the behaviour remains defined throughout operation of the remainder of the program.

IFNDR ("Ill-formed No Diagnostic Required" is the general shape of such rules in the C++ ISO document) isn't behaviour it's a whole program property, your program is not well formed and so the standard doesn't say what, if anything, it does. What does it do? Who knows, not the standard, maybe not the compiler hence "No Diagnostic Required", and perhaps not you the programmer. Because this is a property of the whole program a workaround like "Never press print" is not applicable.

AIUI If you use Contracts carefully you could indeed give your C++ functions pre and post conditions and abort the software immediately if any of these conditions become false. If you use 3rd party components this is likely to get rather fraught because you need to co-ordinate how all the software is built to ensure you don't accidentally create a situation where element A thinks element B will enforce a Contract but element B was relying on A to do that work.

C++ 26 contracts

Posted May 12, 2026 14:05 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (2 responses)

> AIUI If you use Contracts carefully you could indeed give your C++ functions pre and post conditions and abort the software immediately if any of these conditions become false. If you use 3rd party components this is likely to get rather fraught because you need to co-ordinate how all the software is built to ensure you don't accidentally create a situation where element A thinks element B will enforce a Contract but element B was relying on A to do that work.

This is why I'm generally suspicious of the whole design-by-contract premise. It seems to me that you'd be better off enforcing these invariants at the type level (e.g. by checking them in a constructor or factory function, which then wraps the value in a newtype to indicate that it has been checked).

Unfortunately, there is some C++-specific friction in this approach. Newtypes themselves are possible (a single-field struct), but inconvenient. Your newtype needs a getter that returns the inner value, behind a const reference so it can't be invalidated. But now you have to contend with C++'s lack of borrow checking. You can't just pass these references around willy-nilly, or you will inevitably UAF them all over the place. That's annoying, so probably you end up writing an unwrap() method that removes the newtype altogether. But then you might have to re-check it at a later point in the program. So you re-wrap it. Somebody notices that double-checking is 0.2% slower than it has to be, and wastes valuable developer-hours trying to fix it in vain.

C++ 26 contracts

Posted May 12, 2026 14:44 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (1 responses)

I do like type invariants, but sometimes a contract facility has better ergonomics. If I can't have both I guess I'll take type invariants, but I would prefer both.

C++ 26 contracts

Posted May 12, 2026 17:32 UTC (Tue) by NYKevin (subscriber, #129325) [Link]

One clever (but unfortunately Rust-only) pattern I have discovered is the static enum. It goes like this:

// TODO: Replace Infallible with ! when the latter is stabilized.
use std::convert::Infallible;

pub trait Variant: Sized {
    // Type bounds added for ergonomics, not essential.
    type OnlyLeft: Copy + 'static;
    type OnlyRight: Copy + 'static;
    fn into_left<T, U>(e: Either<Self, T, U>, x: Self::OnlyLeft) -> T;
    fn into_right<T, U>(e: Either<Self, T, U>, x: Self::OnlyRight) -> U;
    fn select<T, U>(t: T, u: U) -> Either<Self, T, U>;
}

pub enum Either<V: Variant, T, U>{
    Left(T, V::OnlyLeft),
    Right(U, V::OnlyRight),
}

pub struct LeftVariant;
pub struct RightVariant;

impl Variant for LeftVariant {
    type OnlyLeft = ();
    type OnlyRight = Infallible;
    fn into_left<T, U>(e: Either<Self, T, U>, _: Self::OnlyLeft) -> T{
        let Either::<Self, T, U>::Left(v, _) = e;
        v
    }
    // TODO: When replacing Infallible with !, we can simplify this to just return x directly.
    fn into_right<T, U>(_: Either<Self, T, U>, x: Self::OnlyRight) -> U{
        match x {}
    }
    fn select<T, U>(t: T, _: U) -> Either<Self, T, U>{
        Either::Left(t, ())
    }
}

impl Variant for RightVariant {
    type OnlyLeft = Infallible;
    type OnlyRight = ();
    fn into_left<T, U>(_: Either<Self, T, U>, x: Self::OnlyLeft) -> T{
        match x {}
    }
    fn into_right<T, U>(e: Either<Self, T, U>, _: Self::OnlyRight) -> U{
        let Either::<Self, T, U>::Right(v, _) = e;
        v
    }
    fn select<T, U>(_: T, u: U) -> Either<Self, T, U>{
        Either::Right(u, ())
    }
}

// Need a macro so that we only evaluate one or the other of t and u. They can both e.g. move
// from the same places, have overlapping mutable borrows, etc.
// XXX: It is somewhat ugly to take a type as an argument. Better syntax would look like this:
// new_either!<V>(t, u).
// But macro_rules! cannot consume that syntax, and proc macros are overkill. Oh well.
macro_rules! new_either{
    ($v:ty, $t:expr, $u:expr) => {
        match <$v as $crate::Variant>::select((), ()) {
            $crate::Either::Left(_, x) => $crate::Either::Left($t, x),
            $crate::Either::Right(_, x) => $crate::Either::Right($u, x),
        }
    }
}

// Either should provide various methods for manipulating its contents, not shown here.
// It should also blanket impl some std traits when T and U impl those traits.

The point is that destructuring an Either instance inside of a match expression will only emit code for the branch that is actually taken. This means that we can write simple and obvious code that looks like a runtime branch, but is actually resolved at compile time. For example, new_either!() is a zero-overhead (branchless) operation despite containing a match with two arms. After monomorphization, one of those arms will always materialize an empty type (as the value of x), and the compiler will regard that as conclusive evidence that the arm is unreachable (or UB).

It also means we can pass around these OnlyLeft and OnlyRight tokens freely to prove which variant is active, and later use the into_left() and into_right() functions as needed. Since the tokens are either ZSTs or empty types, they never emit any code whatsoever.

I suspect, but cannot easily prove, that most or all design-by-contract use cases can be reformulated in terms of ZSTs, empty types, and similar constructs to what I show above. But retrofitting this much type system complexity into C++ is probably not a good idea.

Now to test the tests

Posted May 12, 2026 1:55 UTC (Tue) by felixfix (subscriber, #242) [Link]

Way way back, around 1970++, I had been using a FORTRAN program to call an assembly program on a CDC 6400 for I/O, and as it got towards a full box of 2000 cards, I decided that line of inquiry was no longer fun. So it went out in style. Its entry point was no longer MAIN; in fact, MAIN was never called. It began execution in a FORTRAN sub, which called assembly language code, which gradually modified FORTRAN code until one instruction turned into an Exchange Jump, a system-only swap instruction on the 6400. I asked and was assured this instruction was system only and was disabled on the A machine and only enabled on B machine during weekly maintenance check (B machine had half the memory and was used for time share experiments). I marked the box and the deck of cards itself "MACHINE A ONLY DO NOT RUN ON B" so of course they ran it on B. Which rebooted itself without warning since I hadn't given the exchange jump any useful registers or code to execute. They reran all the jobs which had been running and narrowed it down to mine. Got a note to see the director. I pointed out the "A ONLY" warnings, and he had to admit they had screwed up. He also admitted they didn't like going through the physical enabling and disabling for the weekly maintenance checks, so they just left it enabled all the time.

Poking at machines and making them do weird things is the best way to learn. I eventually made that machine abort a program with all memory zeroed, all 24 registers zeroed, and all three hardware errors (? indefinite operand, P counter out of range, and ...?). The only thing I couldn't manage was zeroing the P counter.

Programming is fun if you do it right.

Sustain the hype?

Posted May 12, 2026 9:19 UTC (Tue) by rettichschnidi (subscriber, #93261) [Link] (9 responses)

After this blog post, any guesses whether and how much Anthropic is now spending extra on finding a serious flaw in curl after all?

Sustain the hype?

Posted May 12, 2026 10:30 UTC (Tue) by jd (guest, #26381) [Link]

Well, one could say that curl has now filed a bug report against Anthropic, so we're in a position now where either one of the sides finds a serious defect in the other or backs down entirely. I don't see the status quo really holding. Both sides have something to prove, now, but curl might not be important enough for Anthropic to use it to prove their point.

Sustain the hype?

Posted May 13, 2026 12:45 UTC (Wed) by iabervon (subscriber, #722) [Link] (7 responses)

I think what they want to say is that, if there are any problems in your code, Mythos will find them, and if there aren't any problems in your code, Mythos will tell you that rather than making things up. I think it fits into the press that Anthropic wants to have a blog post that says "Mythos is no big deal. We have this extensive security process that catches all the problems before they get released, involving people, tools, and several other models, and Mythos didn't find anything that had gotten through." to contrast with projects that don't have an extensive security process, where Mythos is finding tons of problems. Then Anthropic can ask the question, "Do your projects have the budget to be as careful as curl and OpenBSD?"

Sustain the hype?

Posted May 13, 2026 14:04 UTC (Wed) by pizza (subscriber, #46) [Link] (6 responses)

> Then Anthropic can ask the question, "Do your projects have the budget to be as careful as curl and OpenBSD?"

The answer to this will invariably be "no".

How will Anthropic follow that?

Sustain the hype?

Posted May 13, 2026 15:40 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link] (5 responses)

How will Anthropic follow that?

The obvious followup is that you can get an in-depth review for less by turning to Claude Mythos. We don't know that Mythos will actually be cheaper than having a good human team, but creating that impression is the goal of the hype machine. Anthropic wants to get projects hooked on being able to access top-notch LLM support so they'll have to pay whatever it costs to keep it going once the current startup money subsidy goes away.

Sustain the hype?

Posted May 13, 2026 17:30 UTC (Wed) by pizza (subscriber, #46) [Link] (4 responses)

> The obvious followup is that you can get an in-depth review for less by turning to Claude Mythos.

And who will review / integrate Mythos' output?

Or is the *actual* goal "Give Anthropic commit rights to your project and let it do everything"?

> We don't know that Mythos will actually be cheaper than having a good human team, but creating that impression is the goal of the hype machine. Anthropic wants to get projects hooked on being able to access top-notch LLM support so they'll have to pay whatever it costs to keep it going once the current startup money subsidy goes away.

All "AI" providers are effectively lighting money on fire, not even charging enough to cover the incremental costs of providing their services. So the cost will *only* go up.

Sustain the hype?

Posted May 13, 2026 18:30 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link]

Or is the *actual* goal "Give Anthropic commit rights to your project and let it do everything"?

I think the main goal is to get as many people as possible hooked on using Anthropic's tools. They don't really care what the use is as long as it's deeply enough integrated into their processes that it can't easily be replaced. It's basically the drug dealer model: give away free samples to create addicts, then charge them as much as you can get away with.

All "AI" providers are effectively lighting money on fire, not even charging enough to cover the incremental costs of providing their services. So the cost will *only* go up.

This seems to be the current MO for all the startups. The whole business plan is to grow as rapidly as possible, lock customers in, and then monetize the lock in. The scale on which they're trying this seems to be getting bigger all the time, probably because they're getting access to more money. The problem is that "lock customers in so you can charge arbitrary prices" requires a monopoly, or at least a tight oligopoly, to work. The companies are basically forced to keep their prices low to try to drive the competition out of business.

I remember someone describing it by comparing it to auto racing. The kind of standard competition described in economics textbooks is like a regular auto race. Some car will win the race, and some cars may drop out from mechanical failures or crashes, but the expectation is that most racers will finish somewhere in the pack. They get points for their order of finish, so a racer can do OK even if they don't win. The startup mentality is like a demolition derby, where you keep on racing until there's only one car left, and deliberately causing other cars to crash so they can't finish the race is all part of the strategy.

Sustain the hype?

Posted May 13, 2026 19:13 UTC (Wed) by iabervon (subscriber, #722) [Link] (2 responses)

I think the usage they're likely to want to sell is that Mythos reviews all of your PRs and points out problems, because that's recurring revenue and also efficient (the author of the PR hasn't forgotten anything about it yet, is presently paying attention to it, and is motivated to address shortcomings that have been identified; nothing has started using it, and it hasn't been released). I suspect that their ideal niche would be that companies that use open source projects and are subject to the CRA would pay Anthropic to review everything proposed for the project, and the project would find that this review points out things that would have been exploitable if the PR was merged like that.

At the moment, there's a huge backlog of things Mythos would have pointed out over your project's lifetime if it existed back then, but they're trying to get through that now, both for the positive press and because, if they didn't and sold general access to the model, random people would be able to use it to find vulnerabilities they could exploit in a lot of software, and that's press they definitely don't want. This is where Mythos has a lot of output (for most projects) and people have to go through the work of reviewing and integrating it.

I think the theory is that no AI can find real problems that don't exist, and humans can find any problems that do exist (but don't prioritize it enough to actually find all of them), and the only place where Mythos doesn't find problems is where humans have really prioritized it as much as possible, so it will be impossible to get another chunk of vulnerabilities with a better model in the future because the vulnerabilities just don't exist. I'm not convinced this is actually true, because there could be classes of vulnerabilities that nobody's thought of yet, and Mythos doesn't find because there were no examples of finding them in the training data, but even finding all of the instances of known classes of vulnerabilities means that new vulnerabilities only get discovered in existing code when a new class is discovered, and that's unlikely to be in things that lots of projects do lots of times, so not a large total of new instances.

Sustain the hype?

Posted May 13, 2026 21:53 UTC (Wed) by kleptog (subscriber, #1183) [Link] (1 responses)

I dont find it likely that there's large classes of bugs out there nobody has noticed yet. The big difference between code writing 50+ years ago and now is that programming languages these days are much more structured. We compose applications from modules written with interfaces. The trickier bugs you're seeing now are all of the form: module/function has a precondition that is violated by the caller. Languages like Rust encode more of the preconditions in the type system to prevent these classes of bugs. You can't get everything into the type system, but you can do way better than C/C++.

If all the preconditions of all the code are met then mathematically there are no bugs.

The only area I can see that really might be actually new are bugs caused by problems in the compiler translations to assembly, so the code executed does not match what is actually run. Or that preconditions are missing/not well understood. But again, software development has learned over the last decades to structure programs to reduce these classes of issues so I wouldn't expect much here either.

Mostly there's just a lot of code out there of poor quality. And while that gets fixed we get a lot of bug reports.

Sustain the hype?

Posted May 13, 2026 23:39 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Yeah, I think "Mythos finds new category of bugs" would justify the hype but was never at all likely. Even if it found two dozen previously unseen bounds misses in curl that wouldn't be a new class of bug.

"It's better than a random intern at finding bugs" is worth some money. Is it enough money for Anthropic to make financial sense? I do not know.

Optimistic

Posted May 12, 2026 11:06 UTC (Tue) by cthart (guest, #4457) [Link] (4 responses)

I was quite pessimistic for the future of computers as a whole, foreseeing a time when the forces of evil using AI are winning over the forces of good.

But this post makes me quite optimistic again.

Optimistic

Posted May 12, 2026 14:12 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

An LLM, even if it were somehow a super-intelligence which it is not, cannot make false things true. Necessarily only actual problems can be found, when it was just rumours you could choose to imagine Mythos found an entirely novel category of problems in software - a category which always existed but no-one had previously discovered. But that was never very likely. It cannot find a category of problems which didn't exist before, Computer Science is just Mathematics. An LLM can't make Pi a rational number or make 3 a larger integer than 5.

The reality seems to be that Mythos is slightly better (and for just $$$, very little human labour) at finding several types of bugs in software that we're used to seeing from human researchers, many of them Memory Safety bugs.

So, to the extent that you write correct software nothing changes. What we'd ideally see from this is an investment in writing more correct software, that means not just memory safety (though that too of course) but wider and broader proofs.

Optimistic

Posted May 12, 2026 15:53 UTC (Tue) by hsivonen (subscriber, #91034) [Link] (2 responses)

Why does this make you optimistic?

AFAICT, there’s remarkably little here that is suitable for a generalized conclusion, optimistic or pessimistic.

The post notes that other LLMs have found “a dozen or more” vulnerabilities in curl. Mozilla reported that this particular LLM found many more vulnerabilites in another cadebase that has been exposed to other scrutiny previously.

There are multiple possible explanations for why this LLM found only one vulnerability in this case, and we don’t have enough information available to conclude which one of the possible explanations is the actual reason for this particular outcome. This leaves room for folks to see whatever they want to see here.

Optimistic

Posted May 13, 2026 0:28 UTC (Wed) by rsidd (subscriber, #2582) [Link] (1 responses)

In a mature codebase there is a finite pool of possible vulnerabilities. They found only one in OpenBSD I believe. The next model may fine zero. But given the higher code churn in Linux and web browsers, those may be a bigger worry. On the other hand, AI-assisted code vetting may mitigate future bugs?

Optimistic

Posted May 13, 2026 6:01 UTC (Wed) by hsivonen (subscriber, #91034) [Link]

That’s one possible explanation. Or it could be a case of ineffective harness. Or something else. There isn’t enough information to know.

Churn doesn’t explain the discovery of bugs that were about a couple of decades old in Linux and Firefox.

There have now been enough security bugs found by LLMs that it seems reasonable to conclude that LLMs now find security bugs, and folks who want to believe that even that observation is all lies are wrong. But for specifics beyond that, it seems to me there isn’t enough public information to draw generalized conclusions, particularly not from this curl case.