{"slug": "ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000", "title": "AI Is Hunting Bugs Now: 2026 CVE Count Heading for 66,000", "summary": "FIRST.org revised its 2026 CVE forecast to approximately 66,000, a 46.3% increase from its February estimate, driven primarily by AI-assisted vulnerability discovery. Anthropic's Mythos Preview, part of Project Glasswing, scanned over 1,000 open-source projects and flagged 23,019 vulnerabilities, with 90.6% confirmed as real bugs. The surge in CVEs reflects a structural shift where AI has removed discovery constraints, but human capacity to verify and patch remains the bottleneck.", "body_md": "FIRST.org just revised its 2026 CVE forecast to approximately 66,000 — a 46.3% upward revision from its February estimate of 59,427. The primary driver is not a sudden collapse in software security. It is AI: autonomous systems are now hunting vulnerabilities in code that has been sitting unmolested for decades, and they are extraordinarily good at it.\n\n## The Numbers Behind the Revision\n\nThe Forum of Incident Response and Security Teams published its mid-year update on June 15 at its 38th Annual Conference. Through April 2026 alone, actual CVE disclosures had already run 6,420 units above the February projection. Extrapolated to year-end, that puts 2026 on course to shatter 2024’s previous all-time high of around 40,000 CVEs.\n\nThree structural factors are driving the surge:\n\n**AI-assisted vulnerability discovery**— the biggest driver, covered below** GitHub Security Advisory volume up 449% year-over-year**— driven by an expanded curation team and a CVE ID backfill campaign** VulnCheck CNA-of-Last-Resort activity up 3,119%**— absorbing a massive backlog of previously unassigned vulnerabilities\n\nThat third number sounds alarming, but context matters: a large chunk of the VulnCheck spike reflects historical flaws finally getting formal IDs. Elevation of raw CVE count is partly a one-time clearing of the backlog. But that does not explain the AI-discovery component — and that component is here to stay.\n\n## What Project Glasswing Actually Did\n\nAnthropic’s Mythos Preview is not publicly available. It is restricted to members of Project Glasswing: a consortium that includes AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft, NVIDIA, CrowdStrike, Cloudflare, and Mozilla. The model’s job is to scan software for security vulnerabilities the way a highly experienced penetration tester would — not by throwing random inputs at code, but by reasoning about attack paths.\n\nThe results were not incremental. Mythos scanned over 1,000 open-source projects and flagged 23,019 vulnerabilities, 6,202 of them assessed as high or critical severity. An independent firm checked a random sample of 1,752 findings and confirmed 90.6% were real bugs.\n\nMozilla’s experience is the clearest case study. Using early access to Mythos Preview, Mozilla’s security team patched 271 vulnerabilities for [Firefox 150](https://thenextweb.com/news/mozilla-firefox-claude-mythos-271-vulnerabilities) in a single evaluation pass. That one release caused Mozilla’s CNA disclosures to spike 164% in Q1 2026. Among the bugs Mythos surfaced: a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg. Neither was a theoretical edge case. Both were fixable. No human had found them.\n\n## Discovery Is No Longer the Bottleneck\n\nThis is the structural shift that matters. For most of software security’s history, the constraint was finding bugs. Skilled researchers were scarce, coverage was incomplete, and years could pass before a serious flaw was discovered. AI has effectively removed that constraint for any organization with access to frontier models.\n\nWhat has not changed is the human side: verifying findings, coordinating responsible disclosure, writing patches, and pushing updates to production. FIRST is explicit about this in [its June 15 blog post](https://www.first.org/blog/20260615-vulnerability-forecast-update): “The constraint is no longer discovery; it is the human capacity to verify, coordinate, and patch.” More CVEs does not mean less secure software. It means the funnel has widened dramatically at the top while the drain at the bottom has not changed.\n\n## The Triage Problem Just Got Harder\n\nThere is a compounding factor. On April 15, 2026, NIST transitioned the National Vulnerability Database to a formal triage model, reclassifying roughly 29,000 backlog CVEs as “Not Scheduled” and committing to enriching only an estimated 15-20% of new incoming CVEs. Developers who relied on NVD as a complete reference are now missing coverage — at exactly the moment raw CVE volume is exploding.\n\nThe practical answer is to stop using CVSS severity alone as a patch prioritization signal. The security community has converged on three complementary signals:\n\n— over 1,200 entries, all confirmed active exploitation. If a CVE is here, patch it without debate.[CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)**EPSS score above 10%**— an ML model predicting probability of exploitation within 30 days. High EPSS + not yet in KEV = next tier.** CVSS**— use it to rank candidates within the above two filters, not as a standalone signal.\n\nTools like Dependabot, Trivy, Grype, and Snyk are incorporating EPSS alongside CVSS. If yours is not, it is time to look at alternatives that do.\n\n## Three Things to Do Now\n\nThe volume of CVEs you need to track is going up. The fraction that actually requires an emergency response is not. [Help Net Security’s coverage](https://www.helpnetsecurity.com/2026/06/15/first-2026-cve-forecast/) of the FIRST forecast puts it plainly: organizations using EPSS and the CISA KEV catalog to triage can manage exposure without scaling headcount proportionally to raw CVE volume.\n\n**Audit your triage stack.** If your vulnerability management workflow still treats CVSS 9.0+ as an automatic emergency, recalibrate. KEV and EPSS narrow the real-risk set dramatically.**Generate and maintain an SBOM.** When a new CVE drops for a dependency you are running, you need to know within minutes. Tools like Syft, cdxgen, or Docker Scout make this tractable at CI/CD time.**Assume there are bugs in your legacy code that no human has found.** Mythos is restricted now. Cheaper equivalents will reach the general market. Treat legacy code the way you treat legacy infrastructure: unknown attack surface until proven otherwise.\n\nThe AI that found 23,019 bugs across 1,000 open-source projects is not the last model to do this. It is the first one you have heard of. The [FIRST mid-year report](https://www.first.org/newsroom/releases/20260615) is a signal, not a summary. Plan accordingly.", "url": "https://wpnews.pro/news/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000", "canonical_source": "https://byteiota.com/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000/", "published_at": "2026-06-20 04:16:25+00:00", "updated_at": "2026-06-20 04:42:09.470276+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-safety", "ai-products", "ai-tools", "ai-agents"], "entities": ["FIRST.org", "Anthropic", "Mythos", "Project Glasswing", "Mozilla", "NIST", "National Vulnerability Database", "CrowdStrike"], "alternates": {"html": "https://wpnews.pro/news/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000", "markdown": "https://wpnews.pro/news/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000.md", "text": "https://wpnews.pro/news/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000.txt", "jsonld": "https://wpnews.pro/news/ai-is-hunting-bugs-now-2026-cve-count-heading-for-66000.jsonld"}}