Curl's Daniel Stenberg: Anthropic's Mythos Found Just One Real Bug

Anthropic’s much-hyped Mythos model, billed in April 2026 as dangerously capable at uncovering security flaws, was given a shot at curl through the Linux Foundation’s Alpha Omega program. The scan of 178K lines of code produced a report flagging five ‘confirmed’ vulnerabilities, but after the curl security team reviewed them, only one stood up: a low-severity CVE slated for the 8.21.0 release in late June. Three were false positives tied to documented API behavior, and the fourth was just an ordinary bug.

Lead maintainer Daniel Stenberg notes that curl is already among the most fuzzed and audited C codebases in existence, and prior AI tools — AISLE, Zeropath, OpenAI’s Codex Security, plus PR-review bots like Copilot and Augment — have driven 200-300 bugfixes and roughly a dozen CVEs over the past year. Mythos surfaced about twenty well-described bugs worth fixing, but produced no dramatic results beyond what other modern AI analyzers manage.

Stenberg’s verdict: the hype was largely marketing. He still credits AI-powered analyzers as a clear step up from traditional static analysis, but sees no evidence Mythos is meaningfully ahead of the pack — at least not against a hardened target like curl.