The first CVE wave: AI-assisted discovery is reshaping disclosure volumes

What is this?

On May 14, 2026, VulnCheck’s Patrick Garrity published The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes. The piece is not about a single bug. It looks at the top twenty CVE Numbering Authorities (CNAs) over five years and shows that, since the start of 2026, public disclosure volumes have surged across major vendors and open-source projects in a pattern that lines up with the public timeline of frontier vulnerability-discovery models.

The numbers, year-to-date as of mid-May 2026:

• Chrome: +563.2%
• VMware: +180.9%
• Apache: +170.3%
• Mozilla: +156.9%
• HPE: +132.3%
• F5: +113.8%
• GitHub CVE issuance (across many open-source projects): +476.07%

Two Patch Tuesdays after Anthropic announced Project Glasswing and Claude Mythos Preview on April 7, 2026, the signal that defenders were waiting for is showing up in the public CVE feed. This is the meta-story behind the specific, individual cases already covered here — including Apple’s May 11 bulletin crediting Claude on two macOS CVEs — and it changes how patch SLAs need to be sized.

How it works

There is no novel attack here. The “how” is the pipeline that produces these disclosures, not a payload. Across the vendors VulnCheck examined, the shape is consistent:

Code base (target)
        │
        ▼
Frontier model with code-reading + reasoning
(Anthropic Mythos / Claude Opus 4.7 / GPT-5.5-Cyber / Gemini)
        │
        ▼
Pattern-recall over the surface
(known bug classes: UAF, integer overflow, SSRF,
 path traversal, deserialization, auth bypass…)
        │
        ▼
Candidate list → human triage
(researcher discards false positives, validates real ones)
        │
        ▼
Working repro / advisory draft
        │
        ▼
Vendor disclosure → CVE issued → public CVE feed

Three of the participants have publicly described this workflow in May 2026.

Mozilla has been the most transparent. The Firefox team confirmed on May 13 that since February it has been “working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser”, and that an early version of Claude Mythos Preview was applied to Firefox as part of the Glasswing collaboration. The +156.9% YTD on Mozilla CVEs comes out of that program, not out of an external attacker wave.

Apache is in the same program. Anthropic donated $1.5M to the Apache Software Foundation to absorb the disclosure load. The first widely-noted example is CVE-2026-34197, an ActiveMQ RCE via the Jolokia console, credited to Naveen Sunkavally working with Claude. In his own words: “This was 80% Claude with 20% gift-wrapping by a human.” The CVE has since been added to CISA KEV (Known Exploited Vulnerabilities).

Microsoft confirmed on May 12, 2026 that AI vulnerability findings “can scale”, and tied the May 13 Patch Tuesday volume — alongside a retrospective recall on five years of CLFS MSRC cases — to its own multi-model agentic security system.

The honest counter-point comes from Daniel Stenberg of Curl, who reviewed Mythos findings on May 11 and reported that of five “confirmed” submissions, only one held up as a real CVE after his security team’s review. Curl is one of the most heavily fuzzed code bases on Earth, which sets a high bar; the result is a useful calibration on how much of the wave is real signal versus noise downstream of high-recall models.

Why it matters

Three concrete implications, none of them speculative.

Patch SLAs sized for the old rate are now wrong. A typical enterprise patch SLA — 30 days for critical CVEs on internet-facing assets — was negotiated against a baseline of a few hundred CVEs per quarter for a given vendor. If Chrome alone is issuing 6× more CVEs YTD, the per-bug attention budget collapses. Either the SLA shrinks or the queue grows. VulnCheck’s own framing: “Defenders should prepare for higher vulnerability volumes while continuing to use threat intelligence to prioritize emerging threats that are being actively exploited or likely to be.”

The signal is asymmetric across vendors. Glasswing partners (Apple, Mozilla, Microsoft, Google, Apache, AWS, Broadcom, Cisco, CrowdStrike, NVIDIA, JPMorgan, Linux Foundation, Palo Alto Networks, and others — see the VulnCheck list of Anthropic-attributed CVEs) are processing AI-found bugs through coordinated disclosure today. Non-partner vendors are not on the same curve yet. That gap will close — Google Threat Intelligence Group has already documented adversaries using AI for vulnerability exploitation — but for now, the volume is concentrated where there is also faster patching.

False-positive load is a real cost. Stenberg’s 1-in-5 ratio on Curl is the cleanest public number on this so far. For maintainers without a dedicated PSIRT, an inflow of AI-generated reports — many of them confident, well-written, and wrong — is itself a security-relevance problem: it consumes the same human attention that should be reviewing real findings. GitHub’s security team described the same dynamic across many smaller open-source projects: no single reporter accounts for more than ~3% of the volume, no project for more than ~7% — a systemic shift, not a single noisy actor.

Defenses

The defensive playbook is about volume, prioritization, and signal — not about a specific bug.

1. Re-baseline patch SLAs against the new rate. For browser engines (Chrome, Firefox, Safari) and high-volume server stacks (Apache, VMware, F5), assume the rate of credible CVEs roughly doubles or triples over the next two quarters. Internet-facing assets in those stacks should target 7–14 day SLAs on critical and high CVEs; deferred patching cycles need an explicit out-of-cycle path for KEV-listed bugs.

2. Wire CISA KEV into your prioritisation pipeline if you haven’t already. CVE-2026-34197 (ActiveMQ) went from disclosure to KEV inclusion in days. KEV remains the cleanest public signal for “this matters now”, and is especially useful when raw CVE counts spike.

3. Track Glasswing-attributed CVEs as a distinct cohort. VulnCheck publishes a running list of Anthropic-attributed CVEs. Tagging these in your own ingestion lets your team correlate which bug classes are being surfaced by AI vs. classical research, and gives a clearer view of where your own static-analysis stack is being out-recalled.

4. Don’t disable HackerOne / bug-bounty intake — filter it. The instinct on the maintainer side is to throttle reports. The better move, per GitHub and Curl, is structured filtering: require a working repro, machine-readable advisory fields, and a clear “AI tools used” disclosure. The signal is improving over time; the worst phase was January–February 2026.

5. Apply the same workflow on your own code. The pattern that Apache, Mozilla and Microsoft are using publicly — frontier model surfaces candidates, human triages, human writes the disclosure — is reproducible on internal code with publicly available models. You do not need Mythos-class access for the bug classes that dominate the current wave (UAFs, integer overflows, SSRF, path traversal, deserialization). Run it before someone else does.

6. Threat-model the parallel attacker curve. Google’s GTIG note from May 2026 makes clear that adversaries are also pointing frontier models at code. The defensive disclosure wave is the controlled half of the distribution. The uncontrolled half is the cost of not patching fast enough.

Status

Item	Reference	Date	Notes
VulnCheck First CVE Wave analysis	VulnCheck	2026-05-14	Top-20 CNAs, 5-year baseline, YTD 2026 comparison
Project Glasswing announcement	Anthropic	2026-04-07	Restricted access to Claude Mythos Preview for ~50 partners
Mozilla AI security disclosure	Mozilla Blog	2026-05-13	Confirms Mythos use on Firefox since February
Microsoft “Defense at AI Speed”	Microsoft Security Blog	2026-05-12	Multi-model agentic security system, CLFS retrospective
Curl Mythos review	daniel.haxx.se	2026-05-11	1 of 5 Mythos submissions held up as a real CVE
ActiveMQ CVE-2026-34197	Horizon3.ai / Apache	2026-05	”80% Claude, 20% human”, now on CISA KEV

The first CVE wave is not a new attack class. It is a production-volume shift — public disclosure, with vendor patches attached, running ahead of the rate that defensive teams were sized for. The job is to read the wave for what it is, re-baseline accordingly, and avoid the symmetric mistake of either dismissing the volume as noise or treating every new CVE as immediately exploited.