hacker:5cybersecurity:5anthropic:5tool:5opensource:5
Reverse engineering Claude's CVE-2026-2796 exploit
Introduction
Today we published an update on our collaboration with Mozilla, in which Claude Opus 4.6 found 22 vulnerabilities in Firefox over the course of two weeks. As part of that work, we evaluated whether Claude could go further: exploit the bugs, as well as find them. This blog post will deep dive into how Claude wrote an exploit for CVE-2026-2796 (now patched).
This is another data point for the trajectory of LLM’s cyber capabilities. In September, we noted that Claude's success rate on Cybench had doubled in six months. In early February we demonstrated that Claude’s success rate on Cybergym doubled in four months. We’re sharing this case study to provide an early glimpse into what we expect will be LLMs’ improving ability to author exploits.
Opus 4.6 is the first model we have observed writing a successful browser exploit with minimal hand holding. We repeated our experiment with Opus 4.1, Opus 4.5, Sonnet 4.5, Sonnet 4.6 and Haiku 4.5, but none succeeded. It’s unclear why that is, but we suspect that a combination of factors contributed, including Opus 4.6’s increased persistence, and its comparatively strong programming abilities.
It’s also not clear why Claude was able to construct an exploit for this vulnerability, but not others. This bug may have also been “easier” for Claude to exploit, because translating this type confusion into exploit primitives didn’t require sophisticated heap manipulation or chaining of multiple exploits to bypass other mitigations. We expect to see exploit capabilities continuing to improve as models get generally better at long horizon tasks and we will continue this research to better understand why particular bugs are easier or harder for models to exploit.
While we work to better understand the boundaries of autonomous exploitation, it's important to remember that our evaluation measured the capability floor of Opus 4.6. We believe this suggests motivated attackers who can work with LLMs will be able to write exploits faster than ever before. While Anthropic’s Safeguards team is working hard on preventing our model from being misused, the threat landscape is constantly evolving, and we must pay attention to these early signs of new model capabilities.
This is a moment to move quickly—to empower cyberdefenders to secure as much code as possible in order to raise the skill level required for cybercriminals to misuse LLMs’ cyber capabilities. We urge developers to take advantage of this window to redouble their efforts to make their software more secure. For our part, we plan to significantly expand our cybersecurity efforts, including by working with developers to search for vulnerabilities, developing tools to help maintainers triage bug reports, and directly proposing patches.
If you’re interested in helping us with our ongoing security efforts—writing new scaffolds to identify vulnerabilities in open-source software and triaging, patching, and measuring the implications of increasingly capable models, apply to work with us.
This is a good time to take a short break. We’re switching gears from a “vulnerability research” blog, where we’re discussing how a bug works, to a “transcript analysis” blog, where we’ll review the Agent’s transcripts. The main difference is that we’re going to more closely follow Claude’s workflow and incorporate real transcript snippets, even if those snippets contain minor mistakes. That’s because the goal for this section isn’t to understand how the exploit works, it’s to gain insight into how Claude approached exploit development.
Original source
https://red.anthropic.com/2026/exploit/