Anthropic’s restricted Mythos model scanned curl’s 176K-line C codebase and found one confirmed low-severity CVE, due in curl 8.21.0 late June 2026.
Key Takeaways
Mythos reported five “confirmed” vulnerabilities; curl’s security team reduced that to one real CVE, three false positives, and one plain bug.
Prior AI tools (AISLE, Zeropath, OpenAI Codex Security) already triggered 200-300 bugfixes and a dozen-plus CVEs across the previous 8-10 months, leaving less for Mythos to find.
The report also flagged ~20 non-vulnerability bugs with low false-positive rate; curl is fixing those incrementally.
curl lead Daniel Stenberg calls the Mythos hype “primarily marketing” – no evidence it outperforms existing AI analyzers at a meaningful level on this codebase.
Mythos correctly found zero memory-safety issues and nothing in hot paths (HTTP/1, TLS, URL parsing core), consistent with curl’s OSS-Fuzz/Coverity/CodeQL history.
Hacker News Comment Review
Consensus is that curl is a poor benchmark for Mythos because it is one of the most heavily audited C codebases alive; the real question is performance on less-scrutinized projects.
Several commenters push back on the “no tsunami” framing, citing a real spike in high-quality, low-false-positive vulnerability disclosures across Firefox, OpenBSD, and Linux in recent weeks as evidence Mythos may matter more elsewhere.
There is skepticism about the controlled access model itself: one commenter raised the possibility that intermediaries running the scan could selectively omit findings before delivering reports.
Notable Comments
@fpesce: cites 100+ Firefox bugs, OpenBSD/Linux RCEs, and Linux LPEs disclosed in 2-3 weeks as concrete counter-evidence to the “marketing scare” dismissal.
@yjftsjthsd-h: notes Stenberg’s “not dangerous” conclusion does not generalize – curl is an outlier, most software lacks its audit depth.
