Anthropic has recently announced the enhancements made to the Claude Opus 4.6 AI model to detect vulnerabilities in code. In a recent experiment, the AI model identified over 500 previously unknown (0-day) vulnerabilities in the latest versions of several open source projects. The focus of the work was on finding vulnerabilities related to memory-related issues, as they are generally easier to verify. All the vulnerabilities discovered were classified as highly risky, and each one was manually verified by Anthropic employees or external security researchers.
The analysis of vulnerabilities involved examining popular open source projects that undergo continuous fuzz testing in the OSS-Fuzz service. Unlike fuzz testing, which generates random input data combinations, the AI model used logic to analyze code, identify unresolved errors similar to past fixes, and deduce potential disruptive input data for execution.
The identified vulnerabilities have already been reported to project maintainers, who are collaborating to implement fixes. Patches have been developed to address the vulnerabilities identified during the manual verification process. Notably, vulnerabilities in GhostScript, OpenSC, and CGIF have been fixed by maintainers.
Unlike traditional automatic vulnerability detection systems, the Claude Opus 4.6 model used a distinct approach. The model had access to a virtual machine equipped with standard developer tools, debugging utilities, and fuzz testing applications, with no specific instructions on how to utilize them. The AI model was tasked to independently determine the best approach to identify vulnerabilities.
During the process of detecting vulnerabilities in GhostScript, the AI model initially attempted fuzz testing without success. It then shifted to code analysis, but that also did not yield results. Eventually, the model identified a commit mentioning buffer boundary checks in the git history, leading to the discovery of a missing buffer bounds check while processing fonts.