The UK’s National Cyber Security Centre issued an unusual warning about what’s coming next. AI, the NCSC says, is now capable of unearthing decades of buried software flaws at a scale and speed that the industry’s entire patching infrastructure was never built to handle.
The result? A coming flood of critical updates across every layer of the tech stack, all at once. They’re calling it a “patch wave.” Organizations that aren’t ready will be caught flat-footed. That’s the problem the NCSC is trying to get ahead of. As more AI tools gain this capability, the gap between “flaw discovered” and “flaw exploited” shrinks from weeks to hours. The NCSC’s guidance is direct:
- Prioritize anything internet-facing first, then work inward
- Enable automatic updates wherever possible
- Legacy systems that can’t receive patches need to be replaced, not ignored
- Assume incoming updates will be critical severity, not routine
The warning didn’t come out of nowhere. In April, Anthropic unveiled Claude Mythos Preview, a model so effective at finding software vulnerabilities that Anthropic refused to release it publicly. During testing, it found over 2,000 previously unknown flaws across major operating systems and browsers, including a 27-year-old bug in OpenBSD and a 17-year-old remote code execution flaw in FreeBSD. Over 99% of what it found remains unpatched today.
But the urgency is already materializing. Last week, researchers at security firm Theori used their own AI tool to scan Linux’s cryptographic code. It took about an hour. What they found (dubbed “Copy Fail”) grants hackers full root access to every major Linux distribution shipped since 2017. One 732-byte script. One hundred percent reliability. A fix exists, but exploit details went public before all distributions had issued patches.
Why this matters
You don’t run a server. You don’t manage patches. But your paycheck, your medical records, and your taxes all live on systems that do.
These systems were built assuming bugs get found slowly, by humans, one at a time. That assumption just broke. Anthropic says that over 99% of what Mythos found remains unpatched. Copy Fail is just one example of what happens when that window stays open too long. The vulnerabilities are known. The clock is running. The only question is who finds them next.
Editor’s note: This content originally ran in the newsletter of our sister publication, The Neuron. To read more from The Neuron, sign up for its newsletter here.