let me unpack it. It means: an attacker who already has some way to run code on
the machine, even as the most boring unprivileged user, can promote themselves
to root. From there they can read every file, install backdoors, watch every
process, and pivot to other systems.

    Why does that matter on shared infrastructure? Because ?local? covers a lot
of ground in 2026: every container on a shared Kubernetes node, every tenant on
a shared hosting box, every CI/CD job that runs untrusted pull-request code,
every WSL2 instance on a Windows laptop, every containerised AI agent given
shell access. They all share one Linux kernel with their neighbours. A kernel
LPE collapses that boundary.

News article.

** *** ***** ******* *********** *************
OpenAI?s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities

[2026.05.13] The UK?s AI Security Institute evaluated GPT-5.5?s ability to find
security vulnerabilities, and found that it is comparable to Claude Mythos. Note
that the OpenAI model is generally available.

Here is the Institute?s evaluation of Mythos.

And here is an analysis of a smaller, cheaper model. It requires more
scaffolding from the prompter, but it is also just as good.

** *** ***** ******* *********** *************
How Dangerous Is Anthropic?s Mythos AI?

[2026.05.14] Last month, Anthropic made a remarkable announcement about its new
model, Claude Mythos Preview: it was so good at finding security vulnerabilities
in software that the company would not release it to the general public.
Instead, it would only be available to a select group of companies to scan and
fix their own software.

The announcement requires context -- but it contained an essential truth.

While Anthropic?s model is really good at finding software vulnerabilities, so
are other models. The UK?s AI Security Institute found that OpenAI?s GPT-5.5,
already generally available, is comparable in capability. The company Aisle
reproduced Anthropic?s published results with smaller, cheaper models.

At the same time, Anthropic?s refusal to publicly release its new model makes a
virtue out of necessity. Mythos is very expensive to run, and the company
doesn?t appear to have the resources for a general release. What better way to
juice the company?s valuation than to hint at capabilities but not prove them,
and then have others parrot their claims?

Nonetheless, the truth is scary. Modern generative AI systems -- not just
Anthropic?s, but OpenAI?s and other, open-source models -- are getting really
good at finding and exploiting vulnerabilities in software. And that has
important ramifications for cybersecurity: on both the offense and the defense.

Attackers will use these capabilities to find, and automatically hack,
vulnerabilities in systems of all kinds. They will be able to break into
critical systems around the world, sometimes to plant ransomware and make money,
sometimes to steal data for espionage purposes, and sometimes to control systems
in times of hostility. This will make the world a much more dangerous, and more
volatile, place.

But at the same time, defenders will use these same capabilities to find, and
then patch, many of those same systems. For example, Mozilla used Mythos to find
271 vulnerabilities in Firefox. Those vulnerabilities have been fixed, and will
never again be available to attackers. In the future, AIs automatically finding
and fixing vulnerabilities in all software will be a normal part of the
development process, which will result in much more secure software.

Of course, it?s not that simple. We should expect a deluge of both attackers
using newly found vulnerabilities to break into systems, and at the same time
much more frequent software updates for every app and device we use. But lots of
systems aren?t patchable, and many systems that are don?t get patched, meaning
that many vulnerabilities will stick around. And it does seem that finding and
exploiting is easier than finding and fixing. All of this points to a more
dangerous short-term future. Organizations will need to adapt their security to
this new reality.

But it?s the long term that we need to focus on. Mythos isn?t unique, but it?s
more capable than many models that have come before. And it?s less capable than
models that will come after. AIs are much better at writing software than they
were just six months ago. There?s every reason to believe that they will
continue to get better, which means that they will get better at writing more
secure software. The endgame gives AI-enhanced defenders advantages over
AI-enhanced attackers.

Even more interesting are the broader implications. The same searching,
pattern-matching and reasoning capabilities that make these models so good at
analyzing software almost certainly apply to similar systems. The tax code isn?t
computer code, but it?s a series of algorithms with inputs and outputs. It has
vulnerabilities; we call them tax loopholes. It has exploits; we call them tax
avoidance strategies. And it has black hat hackers: attorneys and accountants.

Just as these models are finding hundreds of vulnerabilities in complex software
systems, we should expect them to be equally effective at finding many new and
undiscovered tax loopholes. I am confident that the major investment banks are
working on this right now, in secret. They?ve fed AI the tax code of the US, or
the UK, or maybe every industrialized country, and tasked the system with
looking for money-saving strategies. How many tax loopholes will those AIs find?
Ten? One hundred? One thousand? The Double Dutch Irish Sandwich is a tax
loophole that involves multiple different tax jurisdictions. Can AIs find
loopholes even more complex? We have no idea.

Sure, the AIs will come up with a bunch of tricks that won?t work, but that?s
where those attorneys and accountants come in -- to verify, and then justify,
the loopholes. And then to market them to their wealthy clients.

As goes the tax code, so goes any other complex system of rules and strategies.
These models could be tasked with finding loopholes in environmental rules, or
food and safety rules -- anywhere there are complex regulatory systems and
powerful people who want to evade those rules.

The results will be much worse than insecure computers. Tax loopholes result in
less revenue collected by governments, and regulatory loopholes allow the
powerful to skirt the rules, both of which have all sorts of social
ramifications. And while software vendors can patch their systems in days, it
generally takes years for a country to amend its tax code. And that process is
political, with lobbyists pressuring legislators not to patch. Just look at the
carried interest loophole, a US tax dodge that has been exploited for decades.
Various administrations have tried to close the vulnerability, but legislators
just can?t seem to resist lobbyists long enough to patch it.

AI technologies are poised to remake much of society. Just as the industrial
revolution gave humans the ability to consume calories outside of their bodies
at scale, the AI revolution
--- FMail-lnx 2.3.2.6-B20251227
 * Origin: TCOB1 A Mail Only System (618:500/1)