al-ice.ai

VulnCheck — AI-Assisted Vulnerability Discovery Drives 563% CVE Surge Across Major Vendors

Security by al-ice.ai Editorial

AI relevance: AI models are now systematically discovering vulnerabilities at scale — Anthropic's Project Glasswing has identified thousands of zero-days, and the resulting CVE surge forces AI operators to prioritize patching infrastructure components that serve model inference and agent orchestration.

VulnCheck has published the first comprehensive data analysis linking the surge in CVE disclosures to AI-assisted vulnerability discovery. Year-to-date data shows dramatic increases across the top CVE Numbering Authorities, with the pattern consistent across many independent reporters rather than a single source.

  • Chrome CVE disclosures are up 563.2% year-over-year; GitHub CVE issuance is up 476.07%; Mozilla +156.9%; Apache +170.3%; VMware +180.9%; HPE +132.3%; F5 +113.8%.
  • GitHub confirmed the increase is distributed: no single reporter accounts for more than ~3% of volume, and no single project accounts for more than ~7% — "a systemic shift in how vulnerability reporting is happening."
  • Anthropic's Project Glasswing (announced April 7, 2026) claims Claude Mythos Preview has already identified thousands of zero-day vulnerabilities across every major OS and browser, with access funneled to a coalition including AWS, Apple, Cisco, Google, Microsoft, NVIDIA, and Palo Alto Networks.
  • Mozilla is a Glasswing participant and stated the Firefox team has been "working around the clock using frontier AI models to find and fix latent security vulnerabilities" since February.
  • Microsoft launched its own AI discovery tool and noted that Patch Tuesday findings plus a retrospective review of five years of CLFS cases demonstrate "AI vulnerability findings can scale."
  • Google's Threat Intelligence Group separately published research on adversaries also leveraging AI for vulnerability exploitation — the dual-use pattern is now clear on both sides.
  • The ActiveMQ CVE-2026-34197, discovered by a researcher with Claude's assistance, is already on CISA's Known Exploited Vulnerabilities catalog and being exploited in the wild.
  • VulnCheck notes the signal is "still emerging" — it remains unclear whether volumes will sustain or represent a temporary surge as frontier models are applied across codebases.

Why it matters

AI operators running inference infrastructure — vLLM, Triton, model serving on Kubernetes, agent frameworks — depend on the same foundational software seeing this CVE surge. The volume of newly discovered vulnerabilities means AI platform teams must accelerate patching cadences. Meanwhile, the same AI models finding bugs for defenders are accessible to adversaries, compressing the window between discovery and exploitation.

What to do

  • Prioritize patching for CVEs in your AI infrastructure stack (runtime, container base images, inference frameworks) using threat intelligence, not just CVSS scores.
  • Monitor CISA's KEV catalog closely — AI-discovered vulns are moving to active exploitation faster than historical averages.
  • Expect sustained high CVE volumes; plan vulnerability management capacity accordingly rather than treating this as a temporary spike.
  • Review whether your AI model serving and agent orchestration components depend on any of the suppliers showing the highest CVE increases (Chrome, Mozilla, Apache, F5).