More than 500 previously undiscovered high-severity security vulnerabilities in open-source libraries, such as Ghostscript, OpenSC, and CGIF, have been discovered by Anthropic's latest large language model (LLM), Claude Opus 4.6, which was released on Thursday This article explores ability identify vulnerabilities. . Claude Opus 4.6 includes enhanced coding skills, such as code review and debugging capabilities, as well as improvements to tasks like financial analyses, research, and document creation.

Anthropic said it is using the model to identify and assist in fixing vulnerabilities in open-source software, stating that it is "notably better" at identifying high-severity vulnerabilities without the need for any task-specific tooling, custom scaffolding, or specialized prompting.

It further stated, "Opus 4.6 reads and reasons about code the way a human researcher would—looking at previous fixes to find similar bugs that weren't addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it." Anthropic's Frontier Red Team tested the model in a virtualized environment before releasing it, providing it with the tools it needs to identify errors in open-source projects, including fuzzers and debuggers. It stated that the goal was to evaluate the model's unconventional capabilities without offering guidance on how to use these tools or details that could improve its ability to identify vulnerabilities.

Additionally, the company stated that it used the LLM as a tool to prioritize the most serious memory corruption vulnerabilities that were found and that it verified each flaw found to ensure that it was not fabricated (i.e., hallucinated). The following is a list of some of the security flaws that Claude Opus 4.6 identified. Since then, the corresponding maintainers have patched them.

Analyzing the Git commit history to find a Ghostscript flaw that might cause a crash by exploiting a missing bounds check Looking for function calls such as strrchr() and strcat() in order to find an OpenSC buffer overflow vulnerability CGIF had a heap buffer overflow vulnerability that was fixed in version 0.5.1) Anthropic stated of the CGIF bug, "This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format."

Because they necessitate selecting specific branches, "traditional fuzzers (and even coverage-guided fuzzers) struggle to trigger vulnerabilities of this nature." "In fact, this vulnerability could go unnoticed even if CGIF had 100% line-and branch-coverage because it necessitates a very specific set of actions." The business has promoted Claude and other AI models as a vital tool for defenders to "level the playing field."

However, it also made clear that it will update and modify its protections in response to new threats and install more barriers to stop abuse. The revelation follows weeks after Anthropic claimed that its existing Claude models can identify and take advantage of known security flaws to launch multi-stage attacks on networks with dozens of hosts using only open-source, standard tools.

"This highlights the importance of security fundamentals like promptly patching known vulnerabilities and demonstrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down," the statement read.