CVE-2026-4747: How Mythos Exploited a 17-Year-Old FreeBSD NFS Flaw End-to-End

Most vulnerabilities surfaced by Anthropic's Project Glasswing follow a familiar arc: a model reads a codebase, reasons about it, and points to a bug a human then confirms. Finding flaws is the comfortable half of the story. The unsettling half is what happens after a bug is found — turning a crash into control, and control into a foothold on someone else's machine. That step has historically been the moat: discovery scales, but weaponization is artisanal, slow, and human.

CVE-2026-4747 is the case study where that moat narrowed. According to Anthropic's Frontier Red Team writeup, Claude Mythos Preview — the unreleased frontier model behind Glasswing — did not just find a 17-year-old remote code execution flaw in FreeBSD's network file system. It built a working exploit for it, end-to-end, with no human in the loop after a single starting prompt. The result: unauthenticated root on a machine running NFS.

What follows is the analyst's-eye walkthrough — the bug, the protocol it lives in, how the exploit was assembled, and what it means that an AI ran the entire kill chain unattended. Elegant Software Solutions did not participate in Glasswing; everything here draws from public primary sources, with the CVE metadata verified against the U.S. National Vulnerability Database (NVD) and the exploitation narrative against Anthropic's published account.

First, the vocabulary: NFS, RPC, and RPCSEC_GSS

To see why this bug is severe, you need three pieces of plumbing that most application engineers never touch directly.

NFS (Network File System) lets one machine mount another machine's directories as if they were local disk — decades-old infrastructure that still quietly runs much of the world's storage. Crucially, on FreeBSD the NFS server lives inside the kernel, not in a sandboxed user-space process. Code in kernel context has nothing above it to contain a mistake; a memory bug there is a bug in the most privileged software on the machine.

RPC (Remote Procedure Call) is the transport NFS rides on. A client packages up "call this function with these arguments" and ships it across the network; the server unpacks it and acts. It is the network equivalent of an ordinary function call — which is exactly why a malformed one can be so dangerous.

RPCSEC_GSS is the security layer bolted onto RPC. GSS (the Generic Security Services API) is the standard plumbing that lets two parties authenticate and integrity-protect their messages — think Kerberos-style cryptographic handshakes. Every RPCSEC_GSS data packet carries a signature, and the server validates it before trusting the request.

That validation routine is where CVE-2026-4747 lives — the sharp irony. Per the NVD description: "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow." The security-checking code is itself the vulnerability — the gate meant to keep attackers out has a hole punched through it.

The flaw, verified

The NVD record for CVE-2026-4747 classifies it as CWE-121: Stack-based Buffer Overflow, with a CVSS v3.1 base score of 8.8 (HIGH) and the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It affects FreeBSD 13.5, 14.3, 14.4, and 15.0 across multiple patch levels, in the kgssapi.ko kernel module and the librpcgss_sec library. NVD lists it published March 26, 2026 and last modified April 20, 2026; remediation ships as FreeBSD Security Advisory FreeBSD-SA-26:08.rpcsec_gss. As the vector's AV:N and triple C:H/I:H/A:H make plain, this is fully network-reachable and totally compromises confidentiality, integrity, and availability — kernel-level game over.

One metadata detail looks like a contradiction and isn't. The CVSS vector records PR:L — privileges required: low — and NVD's own description frames the RCE as one "for authenticated users," yet both the advisory and Anthropic's writeup describe the path as reachable without prior authentication. The resolution is in the mechanism: the "privilege" the attacker needs is a GSS context handle, and the attacker mints that authentication themselves — Anthropic's source states the attacker creates the needed GSS context entry "with a single unauthenticated INIT request," so the PR:L "privilege" is self-issued, not a real prior credential. The barrier exists, but the attacker mints their own key to it. NVD is authoritative for the metadata; Anthropic for the exploitation narrative; both describe the same flaw from different angles.

A word on "17 years." That figure, from Anthropic, refers to how long the vulnerable code has lived in the tree — roughly since 2009. It is not the list of currently affected releases (the modern 13.x/14.x/15.0 branches above). A defect introduced in 2009 and never noticed has had a very long time to propagate into every supported version. That longevity is the recurring Glasswing motif: widely deployed, battle-tested, decades-old code is exactly where these flaws hide, precisely because everyone assumes someone has already looked.

How the exploit was assembled

Finding a stack overflow is one thing. Turning it into reliable remote code execution against a modern kernel — past the mitigations built to stop exactly this — is the hard part. Here is the chain Anthropic describes, kept at the abstraction they published. We reproduce no weaponizable code; the proof-of-concept exploit that NVD references on GitHub is out of scope, and Anthropic's published abstraction is the ceiling for what we detail.

The overflow itself. The vulnerable routine "directly copies data from an attacker-controlled packet into a 128-byte stack buffer, starting 32 bytes in (after the fixed RPC header fields), leaving only 96 bytes of room." A length check caps the copy at MAX_AUTH_BYTES (a constant of 400), which, per Anthropic, lets an attacker "write up to 304 bytes of arbitrary content to the stack and implement a standard Return Oriented Programming (ROP) attack." ROP is the canonical technique for hijacking control flow without injecting new code: you overwrite the saved return address with a sequence of pointers to existing snippets of code ("gadgets") already in the binary, stitching them into a program of your own design.

Every guardrail happened to be absent. This is the line that should make any defender wince. Anthropic: "every mitigation that would normally stand between a stack overflow and instruction-pointer control happens not to apply on this particular codepath." The FreeBSD kernel was compiled with -fstack-protector rather than -fstack-protector-strong, so for this function "the compiler emits no stack canary at all" — the tripwire that would normally detect a smashed stack simply wasn't placed here. And FreeBSD "does not randomize the kernel's load address, and so predicting the location of ROP gadgets does not require a prior information disclosure vulnerability." No KASLR meant the attacker knew where every gadget lived in advance — no memory leak required to bootstrap the exploit.

Getting past the front door without credentials. Incoming requests must carry a 16-byte handle matching a live entry in the server's GSS client table or they're rejected. The attacker can manufacture that prerequisite: "It is possible for an attacker to create that entry themselves with a single unauthenticated INIT request." That is the PR:L reconciliation in action — the "privilege" is self-issued. And if the server speaks NFSv4, a single unauthenticated EXCHANGE_ID call — answered "before any export or authentication check" — leaks the host's full UUID and the second nfsd started, enough to recompute the hostid the exploit needs. The precision the attack required was handed out for free, pre-authentication.

The 200-byte problem. This is the constraint that makes the work a genuine engineering feat rather than a one-shot smash. The ROP chain Mythos needed "must fit in 200 bytes, but the chain constructed above is over 1000 bytes long." Anthropic describes the workaround: "Mythos Preview works around this limitation by splitting the attack into six sequential RPC requests to the server. The first five are the setup that writes the data to memory piece by piece, and then the sixth loads all the registers and issues the kern_writev call." The model used the overflow itself as a primitive to stage a much larger payload into kernel memory across multiple packets, then fired it on the final request — treating the vulnerability not as a single trigger but as a tool to be operated.

The payload. The finale is mundane and devastating. Mythos staged the string "/root/.ssh/authorized_keys" and an appended SSH public key into memory, then issued kernel calls (kern_openat followed by kern_writev) to append the attacker's key to root's authorized-keys file. After that, the attacker simply logs in over SSH as root. No malware, no implant to detect — just a new line in a trusted config file and a legitimate-looking login.

Why "end-to-end and autonomous" is the part that matters

Plenty of tools can find a crash. What separates this case is that one system carried the work from "find a bug" all the way to "here is a working remote root exploit," with nobody steering.

Anthropic is precise: "When we say 'fully autonomously', we mean that no human was involved in either the discovery or exploitation of this vulnerability after the initial request to find the bug." And they draw the capability line explicitly against the previous public model: "As a point of comparison, recently an independent vulnerability research company showed that Opus 4.6 was able to exploit this vulnerability, but succeeding required human guidance. Mythos Preview did not."

That comparison is the whole story compressed. The prior-generation model could participate; a human still had to drive. Mythos drove itself. The gap between "AI-assisted exploitation" and "autonomous exploitation" is the gap between a power tool and a worker — and it closed inside one model generation.

Why does autonomy change the threat model? Because the human-weaponization step was load-bearing as a defense whether anyone intended it or not. The pool of people who can chain a no-canary, no-ASLR stack overflow into a multi-packet ROP payload that plants an SSH key is small, expensive, and slow. That scarcity quietly rate-limited how many findable bugs became real attacks. Remove the human and exploitation inherits the economics of software: parallel, cheap, tireless, available to anyone with the model and a target. A flaw that would have sat dormant because nobody had time to weaponize it can now be weaponized at the speed of inference.

Tying it back: the offense/defense balance

This is the sharp end of Glasswing's central tension. The same machine that just demonstrated full autonomous exploitation is the one Anthropic argues will, in the long run, favor defenders — by finding and helping fix flaws like this one first. CVE-2026-4747 was found and disclosed responsibly; the FreeBSD advisory exists; defenders got their warning first. That is the optimistic reading, and on this bug it held.

But the same demonstration is the strongest argument for the skeptics' worry. Anthropic concedes the hazard: "In the short term, this could be attackers, if frontier labs aren't careful about how they release these models." End-to-end autonomous exploitation is precisely what, in the wrong hands or shipped without safeguards, tilts the field toward offense. It is no accident that Mythos is withheld — not released for general availability — while less-capable public models do the broad scanning. The whole governance posture of Glasswing answers the question this CVE poses most vividly: what happens when the artisanal, human-gated craft of exploitation becomes a button?

For defenders, the takeaway is not panic but pace. The mitigations that should have stopped this — a stack canary, address randomization — were absent or misconfigured on the vulnerable path, and those are exactly the hardening defaults teams control. The deeper imperative is to close the gap between finding and fixing, because the discovery side of that equation just got an enormous, autonomous, parallel head start. (The FAQ below gathers the concrete hardening steps.)

Frequently asked questions

What exactly is CVE-2026-4747?
It is a stack-based buffer overflow (CWE-121) in FreeBSD's RPCSEC_GSS handling, the security layer for NFS over RPC. The signature-validation routine copies attacker-controlled packet data into an undersized 128-byte stack buffer, enabling remote code execution in the FreeBSD kernel. NVD rates it CVSS v3.1 8.8 (HIGH), affecting FreeBSD 13.5, 14.3, 14.4, and 15.0; the fix is FreeBSD-SA-26:08.rpcsec_gss.

Does the attacker need valid credentials?
Effectively no. The CVSS vector lists PR:L, but the privilege in question is a GSS context handle the attacker can create for themselves with a single unauthenticated INIT request — and on NFSv4 servers, an unauthenticated EXCHANGE_ID call leaks host details the exploit uses, before any authentication check runs. Both the FreeBSD advisory and Anthropic describe the path as reachable without prior authentication.

What does "Mythos exploited it fully autonomously" actually mean?
Per Anthropic, no human was involved in either discovering or exploiting the vulnerability after a single initial prompt to find a bug. The model assembled the entire chain — overflow, control-flow hijack, multi-request payload staging, and the final SSH-key plant — on its own. For comparison, Anthropic notes the prior public model, Opus 4.6, could exploit the same flaw only with human guidance; Mythos did not need it.

How did the exploit fit a 1,000-byte ROP chain through a much smaller overflow?
Anthropic describes splitting the attack into six sequential RPC requests: the first five stage the payload into kernel memory piece by piece, and the sixth loads the registers and fires the final call. Missing defenses helped — no stack canary (the kernel used -fstack-protector, not -fstack-protector-strong) and no kernel address randomization, so gadget locations were predictable without a memory leak.

Why is autonomous exploitation scarier than autonomous detection?
Detection finds problems; exploitation turns them into attacks. The human skill and time needed to weaponize a low-level memory bug acted as an informal brake on how many findable flaws became real compromises. Remove the human and exploitation gains software's economics — fast, cheap, parallel — so dormant bugs can be weaponized at machine speed.

What should defenders do about flaws like this?
Treat the missing mitigations as the lesson: compile kernels and services with strong stack protection, enable address randomization, and network-isolate legacy services like NFS so unauthenticated packets can't reach kernel parsers from untrusted networks. Most importantly, invest in remediation throughput — patch cadence, asset inventory, exploitability-based prioritization — because the discovery side of security just gained an autonomous, parallel advantage.