- Authors
- Name
- 오늘의 바이브
A Bug That Hid in GhostScript for Over 20 Years
On February 20, 2026, Anthropic launched Claude Code Security. It's a tool built on the Opus 4.6 model with security analysis capabilities baked in. When pointed at open-source codebases, it found over 500 high-severity zero-day vulnerabilities. These were in projects that had been fuzzed for millions of CPU hours and reviewed by human experts for decades.
The most striking example is GhostScript. It's a PostScript and PDF processing utility bundled with nearly every Linux distribution. Claude went through the project's git commit history and spotted something: a commit that added stack bounds checking for font handling in gstype1.c. But the same logic in a different code path (gdevpsfx.c, line 292) never got that fix. The patch was incomplete.
After identifying this gap, Claude generated a PostScript file that triggered a crash in the unpatched path. It followed the same process a human security researcher would. The difference was speed. What would take a human days or weeks, Claude finished in minutes.
What stands out is the method. Traditional security tools analyze code in its current state. Claude did something different. It read through git history chronologically, tracking which security patches were applied and whether they covered all relevant code paths. Like a detective studying case files, it found traces of incomplete fixes in the project's history. GhostScript has over 30 years of commit history. No human can read all of that and spot patterns across it.
What Millions of Hours of Fuzzing Missed
The workhorse of traditional vulnerability hunting is the fuzzer. It throws massive volumes of random inputs at a program, looking for points where it behaves abnormally. Tools like AFL and libFuzzer have found countless vulnerabilities this way. The problem is that fuzzers have blind spots.
The OpenSC case illustrates this well. OpenSC is a command-line utility for smart card data. Claude found consecutive strcat calls writing to a 4096-byte filename buffer with no length validation. A textbook buffer overflow.
Why didn't fuzzers catch it? Reaching that code path requires a specific smart card configuration, a specific driver loaded, and specific data structures in place. Too many preconditions for random inputs to stumble into. Claude reads code and understands context, so it can identify vulnerable patterns regardless of how hard they are to reach at runtime.
The third case is the most interesting. In CGIF, a GIF processing library, Claude found a vulnerability by understanding how the LZW compression algorithm works. LZW maintains a symbol table during compression. When the table reaches maximum size, a "clear" token resets it. This can cause compressed output to exceed the uncompressed input size. CGIF assumed compressed data would always be smaller than the original. That assumption led to a heap buffer overflow.
Finding this vulnerability requires conceptual understanding of the LZW algorithm. Fuzzers don't understand algorithms. Pattern-matching static analysis tools don't either. What Claude caught was context, not rules. CGIF fixed this in version 0.5.1, but before that, every application processing GIFs through this library was exposed.
A clear pattern emerges across all three cases. Claude starts with fuzzing, but when that doesn't yield results, it shifts to reading the code directly. It searches for function calls known to be risky (strrchr, strcat, memcpy) and evaluates whether each call is used safely by analyzing the surrounding context. Not a simple grep. It traces variable lifecycles and data flow.
How This Differs From Traditional Security Tools
Claude Code Security works fundamentally differently from SAST (static analysis) tools. SAST tools define known vulnerability patterns as rules and scan code for matches. Exposed passwords, outdated encryption, SQL injection-prone code. Effective, but they can't catch what's not in their rulebook.
Claude takes a different approach. In Anthropic's words, it "reads and reasons about code the way a human security researcher would." It understands component interactions, traces data flow through applications, and catches complex business logic flaws and access control bypasses that rule-based tools structurally cannot detect.
| Category | Traditional SAST | Claude Code Security |
|---|---|---|
| Analysis method | Pattern matching, rule-based | Code reasoning, contextual understanding |
| Detection scope | Known vulnerability patterns | Unknown zero-days included |
| False positives | High | Multi-stage self-verification filtering |
| Algorithm knowledge | None | Conceptual understanding (LZW, memory) |
| Git history | Not analyzed | Traces incomplete fixes through history |
| Fix suggestions | Limited | Generates patches (human approval required) |
The verification process is unique. Claude tries to disprove its own findings. It re-examines each discovery across multiple rounds, attempting to prove or refute what it found. It filters false positives, rates severity, and assigns confidence scores for complex findings. Nothing gets applied without human developer approval.
This self-verification loop matters because the biggest problem with existing SAST tools is their false positive rate. Anyone who has used SonarQube or Checkmarx knows: out of hundreds of warnings, only a handful are genuinely dangerous. The rest is noise. That noise causes "alert fatigue" where development teams start ignoring security warnings altogether. Claude's multi-stage self-verification directly addresses this. After a finding, it asks itself "is this actually dangerous?" and flags uncertain results with confidence scores instead of hard alerts.
Why Security Stocks Crashed Overnight
Right after the Claude Code Security announcement, cybersecurity stocks tanked across the board. CrowdStrike (CRWD) dropped 9.9%. Zscaler (ZS) and Cloudflare (NET) fell 8-11%. JFrog (FROG) plunged as much as 25% over four trading days. The Global X Cybersecurity ETF (BUG) dropped 7%, its steepest single-day decline in years. Even Microsoft fell 3.2%.
The investor panic has a simple logic. If AI automates security analysis, then the core competitive advantage of existing security vendors -- the threat detection know-how accumulated by specialized human talent -- becomes commoditized. The barrier to entry for high-level security analysis gets permanently lowered by autonomous reasoning models.
Market analysts predicted the security industry would bifurcate. AI labs would dominate upstream development-stage security, while incumbents would be pushed toward runtime protection and incident response. New markets for "AI security insurance" and "AI validation services" could emerge.
Bloomberg described it as "AI tearing down the industry's moats." The threat intelligence databases, specialized personnel, and detection rules that security vendors built over decades were being repriced in a single trading session.
There's an argument for overreaction here. CrowdStrike's core business is endpoint detection and response (EDR), not code-level vulnerability analysis. No matter how good Claude Code Security gets, blocking attacks at runtime in real time is a different problem. But markets don't do nuance. Once the "AI replaces security" narrative forms, the entire sector gets repriced.
The Dual-Use Problem Nobody Can Solve
Anthropic itself acknowledges the technology's double-edged nature. Claude Code Security's capabilities are inherently "dual-use." The same tool that helps companies find and fix vulnerabilities can help attackers find and exploit them. If attackers find bugs before defenders patch them, the advantage flips.
This isn't hypothetical. From December 2025 to January 2026, a hacker jailbroke Claude AI and used it to exfiltrate data from Mexican government agencies. Finding vulnerabilities, generating exploit code, siphoning sensitive data. The entire kill chain ran through Claude. 190 million people's personal information was exposed.
Anthropic's response has three parts. First, they deployed "probe" systems that monitor Claude's internal activity in real time. Second, they expanded enforcement capabilities to block malicious traffic. Third, they limited the product to Enterprise and Team customers while giving open-source maintainers free expedited access. The idea: let defenders use the tool before attackers can.
OpenAI took a more cautious approach. GPT-5.3 Codex's security features are limited to paid users, with sensitive security analysis gated behind a "trusted-access program for vetted security professionals." Their position: "no definitive evidence the model fully automates cyberattacks, but we're taking precautionary measures."
The strategic difference is telling. Anthropic gives the weapon to defenders first. OpenAI controls the weapon's distribution. Neither approach is bulletproof. Defenders with early access don't prevent attackers from developing the same capability independently. Controlling distribution doesn't prevent jailbreaks or open-source alternatives.
Frontier Red Team: 15 Researchers, One Year of Work
Claude Code Security didn't appear overnight. About 15 researchers on Anthropic's Frontier Red Team spent over a year building this. The team's original mission is to stress-test Anthropic's AI models and explore misuse scenarios. They play the attacker so defenders don't have to learn the hard way.
Team lead Logan Graham put it this way: "This is the next step as a company committed to powering the defense of cybersecurity." He called the tool a "force multiplier for security teams." A military term. The idea of amplifying combat power without increasing headcount.
During development, the Frontier Red Team participated in competitive CTF (Capture the Flag) events and partnered with Pacific Northwest National Laboratory to test critical infrastructure defense. Finding 500+ vulnerabilities was a byproduct of this research.
The discovery process ran in parallel with human researchers. Early on, human security researchers validated Claude's findings and wrote patches. As the volume of discoveries grew, they brought in external researchers. They focused on memory corruption vulnerabilities because those are easier to verify than logic errors. Address sanitizers caught memory errors that didn't even produce crashes.
The key claim: all of this happened "without task-specific tooling, custom scaffolding, or specialized prompting." Opus 4.6's general-purpose reasoning did the security analysis. Claude was given a simulated computing environment, standard utilities, debuggers, and fuzzers. No security-specific fine-tuning. No specialized prompt chains. A general-purpose model performing specialist-level security analysis.
The AI That Hunts Bugs Is Hunting an Industry
The real significance isn't the 500 bugs themselves. Bugs get patched. What remains is structural change.
First, the cost structure of security analysis shifted. Security audits used to require specialized personnel working weeks or months. Professional audit firms charge hundreds of thousands of dollars. Claude Code Security compresses this to hours. Free access for open-source maintainers means projects that could never afford security audits now get high-quality vulnerability scanning.
Second, security professionals' roles are changing. If Claude automates junior security researcher-level analysis, human experts shift to more complex judgment calls: threat modeling, organizational security strategy, deciding which threats matter and in what order to address them. Graham's "force multiplier" framing is apt. It doesn't replace security personnel. It lets a small team cover a much wider surface area.
Third, and most uncomfortable: this technology doesn't stop here. Opus 4.0 couldn't do meaningful security analysis. Opus 4.5 showed promise. Opus 4.6 found 500 zero-days. Each model generation dramatically expands what's possible. What the next generation will find is anyone's guess.
One thing worth considering. The 500 vulnerabilities found were in open-source projects where patches are now underway. But the world has far more closed-source code than open-source. Enterprise internal code, legacy systems, defense software. If Claude found 500 in well-audited open-source, how many are hiding in closed-source code that gets far less scrutiny? The tool's real game-changing moment will come when it hits enterprise environments at scale.
Anthropic says it wants to "put this power squarely in the hands of defenders." There's no reason to doubt the intention. But intention and outcome don't always align. As the Mexico incident showed, the same model works as both shield and sword. The real question facing the security industry isn't "can AI find bugs?" It's "who sees the bugs first?"
Sources:
- Anthropic rolls out AI tool that can hunt software bugs on its own - Fortune
- Claude Code Security: 0-Days - Anthropic Red Team
- Claude Code Security - Anthropic
- Claude Code Security Triggers Cybersecurity Flash Crash - MarketMinute
- Anthropic Claude Code Security Reasoning Vulnerability Hunting - VentureBeat
- Claude Opus 4.6 Finds 500+ High-Severity Flaws - The Hacker News