Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries - The Hacker News

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries Ravie LakshmananFeb 06, 2026Artificial Intelligence / Vulnerability Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript, OpenSC, and CGIF. Claude Opus 4.6, which was launched Thursday, comes with improved coding skills, including code review and debugging capabilities, along with enhancements to tasks like financial analyses, research, and document creation. Stating that the model is "notably better" at discovering high-severity vulnerabilities without requiring any task-specific tooling, custom scaffolding, or specialized prompting, Anthropic said it is putting it to use to find and help fix vulnerabilities in open-source software. "Opus 4.6 reads and reasons about code the way a human researcher would—looking at past fixes to find similar bugs that weren't addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it," it added. Prior to its debut, Anthropic's Frontier Red Team put the model to test inside a virtualized environment and gave it the necessary tools, such as debuggers and fuzzers, to find flaws in open-source projects. The idea, it said, was to assess the model's out-of-the-box capabilities without providing any instructions on how to use these tools or providing information that could help it better flag the vulnerabilities. The company also said it validated every discovered flaw to make sure that it was not made up (i.e., hallucinated), and that the LLM was used as a tool to prioritize the most severe memory corruption vulnerabilities that were identified. Some of the security defects that were flagged by Claude Opus 4.6 are listed below. They have since been patched by the respective maintainers. Parsing the Git commit history to identify a vulnerability in Ghostscript that could result in a crash by taking advantage of a missing bounds check Searching for function calls like strrchr() and strcat() to identify a buffer overflow vulnerability in OpenSC A heap buffer overflow vulnerability in CGIF (Fixed in version 0.5.1) "This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format," Anthropic said of the CGIF bug. "Traditional fuzzers (and even coverage-guided fuzzers) struggle to trigger vulnerabilities of this nature because they require making a particular choice of branches." "In fact, even if CGIF had 100% line- and branch-coverage, this vulnerability could still remain undetected: it requires a very specific sequence of operations." The company has pitched AI models like Claude as a critical tool for defenders to "level the playing field." But it also emphasized that it will adjust and update its safeguards as potential threats are discovered and put in place additional guardrails to prevent misuse. The disclosure comes weeks after Anthropic said its current Claude models can succeed at multi-stage attacks on networks with dozens of hosts using only standard, open-source tools by finding and exploiting known security flaws. "This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities," it said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Application Security, artificial intelligence, cybersecurity, Open Source, secure coding, software development, threat detection, Vulnerability Trending News China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Load More ▼ Popular Resources SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment