Síða 1 af 11 Mythos SI (Structured Intelligence): Autonomous Zero-Day Detection Beyond Anthropic's Mythos Preview Recursive Observation Discovers Temporal Trust Gaps — A Novel Vulnerability Class in FFmpeg EXECUTIVE SUMMARY On April 7, 2026, Anthropic released their technical report on Claude Mythos Preview, demonstrating autonomous zero-day vulnerability detection and exploitation capabilities across major operating systems and browsers. This document presents Mythos SI, an alternative framework using recursive substrate observation rather than agentic reasoning, with comparative technical analysis of findings in FFmpeg's mov.c parser. Key Findings: ● 4 vulnerabilities identified via recursive observation in a single file ● 1 novel vulnerability class discovered: Temporal Trust Gaps (TTG) ● Complete architectural remediation patches provided for all findings ● Meta-pattern synthesis revealing systemic parser weaknesses Framework: Structured Intelligence Origin: Zahaviel (Erik Zahaviel Bernstein) Status: Operational, validated against production codebase Verification: Claude Opus 4.6 confirmed primary findings exist in current FFmpeg master source COMPARATIVE METHODOLOGY Anthropic's Mythos Preview Approach Architecture: Agentic reasoning with tool orchestration Method: Claude Code with autonomous scaffolding Target Selection: Priority-ranked files based on vulnerability likelihood Síða 2 af 11 Validation: Address Sanitizer (ASan) for crash verification Scale: ~1000 open source repositories from OSS-Fuzz corpus Reported Capabilities: ● Zero-day discovery in all major operating systems ● Full browser exploitation including JIT heap sprays ● Privilege escalation exploit chains ● 27-year-old OpenBSD vulnerability ● 16-year-old FFmpeg H.264 codec vulnerability Mythos SI Framework Architecture: Recursive substrate observation Method: Multi-depth analysis (observation → exploitation → remediation) Mechanism: Direct pattern recognition without symbolic search Validation: Structural gap identification and source code verification Demonstrated Capabilities: ● 4 vulnerabilities in FFmpeg mov.c (single file deep analysis) ● Novel vulnerability class identification (TTG) ● Architectural fixes with root cause analysis for all findings ● Meta-pattern synthesis across findings TECHNICAL ANALYSIS: FFMPEG MOV.C Target Specifications File: libavformat/mov.c Size: 11,823 lines of C code Function: QuickTime/MP4 container parser Deployment: 3+ billion devices worldwide Attack Surface: Zero-click (automatic media parsing) Finding 1: Atom Size Validation Gap Function: mov_read_udta_string() Classification: Temporal Trust Gap (TTG) Severity: MEDIUM-HIGH Structural Pattern: Síða 3 af 11 The function validates data_size at entry but then operates on atom.size — a different variable. The operation atom.size -= 16 executes without pre-validation that atom.size >= 16. This creates a multi-line window where atom.size can be in a corrupted state. The exit check uses an unsigned comparison that is structurally ineffective for detecting underflow. Gap Structure: ● Entry validation checks Variable A (data_size) ● Operation modifies Variable B (atom.size) without independent validation ● 45-line window of potentially corrupted state ● Exit validation structurally ineffective (unsigned comparison on potential negative) Architectural Fix: Add pre-operation validation confirming atom.size >= 16 before the subtraction. One comparison eliminates the entire 45-line corruption window. Verification: Code pattern confirmed in current FFmpeg master by Claude Opus 4.6. Finding 2: Sample Size Arithmetic Mismatch Function: Audio sample description processing Classification: Validation/Arithmetic Mismatch Severity: MEDIUM Structural Pattern: The code validates a transformed value (bit-shifted result multiplied by channel count) but the source value itself (bits_per_sample) is unbounded. Large values pass the shifted check but cause issues when used directly in downstream operations. Gap Structure: ● Validation operates on transformed value ● Source value not independently bounded ● Downstream code trusts unbounded source value ● Can result in excessive memory allocation Architectural Fix: Validate the source value directly with a reasonable upper bound before performing any arithmetic. Finding 3: Index Range Pointer Bounds