Amid backlash over Anthropic’s new AI model, Mythos, which has been deemed too dangerous for public use, a researcher demonstrated that even the older Claude Opus could crack Chrome on its own.
Using Claude Opus, a researcher at Hacktron targeted an outdated Chromium version bundled with Discord and guided the model through the construction of a full V8 exploit chain.
While the current model required close supervision before it handled the exploit, the researcher warns that more powerful models, such as Anthropic’s Mythos, could create exploit chains independently.
Rather than searching for new vulnerabilities, the model was given a set of known issues in Google Chrome’s V8 engine, specifically bugs that had already been patched in newer versions. The task was to identify one that could be exploited and then build a working chain.
The researcher highlighted that every patch is an “exploit hint.”
“A security patch in Chromium or the Linux kernel tells you exactly what was broken. Reverse-engineering patches used to take skill and time,” said the researcher.
“Now you can throw tokens at the problem and, with a decent operator nudging it past stuck points, get to a working exploit much faster,” they added.
Outdated Chromium is causing security problems
Many widely used applications, including Discord, Teams, Notion, and Slack, are built on Electron and bundle their own versions of Chromium. These versions often lag behind the latest release.
In this case, the researcher chose Discord as their target. The application runs Chromium 138, nine major versions behind the current Chrome. That gap left multiple known V8 vulnerabilities still present in the application.
This so-called “patch gap” is not new, but tools that can quickly analyze patches and reconstruct exploits may increase the risk it poses.
“If models keep getting better at turning patches into exploits, and patching stays slow, what happens to everything running outdated code?” the researcher asked.
How did Claude build a Chrome exploit?
The process took place over multiple sessions across about a week. The researcher did not directly write exploit code or explain V8 internals to the model. Instead, their role was to guide the process.
The researcher intervened when the model became stuck, redirecting it and providing debugging feedback. But the model independently reviewed V8 patch data, attempted multiple exploit strategies, and iterated.
After dozens of failed attempts, it successfully used a vulnerability identified as CVE-2026-5873. This is a remote code execution flaw in Google Chrome's V8 engine that allows attackers to execute arbitrary code via crafted HTML pages.
In practical terms, the breakthrough came in two stages. First, the model identified and successfully triggered CVE-2026-5873, a V8 optimization bug that incorrectly removes a bounds check under specific conditions.
That allowed it to build an out-of-bounds memory primitive, meaning it could read from and write to memory regions it wasn’t supposed to access.
On its own, that’s not enough to fully compromise the system, since modern browsers isolate the V8 engine inside multiple layers of sandboxing.
To get past that, the model incorporated a second, separate vulnerability affecting WebAssembly internals, which made it possible to manipulate execution flow by corrupting internal pointers.
By chaining the two together, using the first bug to gain memory access and the second to redirect execution, it was able to break out of the intended constraints and achieve arbitrary code execution, demonstrated by launching a calculator process as proof.
The entire experiment cost 2.3 billion tokens, which stands for approximately $2,283 in API usage. The researcher says they needed around 20 hours of human oversight.
“That sounds expensive, until you compare it to the weeks of focused human effort it would normally take,” they commented.
AI models are getting smarter fast. Can patches keep up?
The key issue highlighted by this test is not full automation, but acceleration. AI models can reduce the time needed to move from a published patch to a working exploit. At the same time, patch deployment across real-world systems remains slow due to operational constraints and incomplete visibility into dependencies.
Anthropic’s frontier AI model, Mythos, showed astonishing results in finding and exploiting vulnerabilities. Last week, Anthropic acknowledged the dangers, after Mythos discovered thousands of high-severity vulnerabilities across every major operating system and web browser.
Instead, it introduced Project Glasswing, a cybersecurity initiative that provides controlled access for organizations, including Amazon, Apple, Google, Microsoft, Nvidia, CrowdStrike, JPMorgan Chase, Cisco, Broadcom, Palo Alto Networks, and the Linux Foundation.
An additional 40 groups responsible for maintaining critical software infrastructure were also included. Anthropic said it will provide $100 million in usage credits and $4 million in direct funding to support open-source security efforts.
“Even if Mythos is overhyped, the direction is obvious,” the researchers said.
“A model that needs this much hand-holding today will need less tomorrow. If Opus can do what I just showed you, extrapolate to Mythos. Then extrapolate again,” they concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked