www.it-connect.fr
AI Sparks a Historic Surge in CVEs: Chrome Up 563%, VMware Up 180%
Over the past few months, we have seen a spectacular surge in the number of vulnerabilities (CVEs) published and patched across the most popular products and many open source projects. The source of this wave is artificial intelligence (AI), which now helps researchers discover security flaws.
An Explosion in CVEs Driven by New AI Models
2026 has been marked by a dramatic increase in CVE disclosures from many software vendors. I came across a report published by VulnCheck on this topic, and it shows impressive growth in the volume of vulnerabilities discovered. Compared with last year (from January 1, 2026 to mid-May 2026 versus the same period in 2025), here is what was observed:
- Chrome: +563.2%
- GitHub: +476.07%
- VMware: +180.9%
- Apache: +170.3%
- Mozilla: +156.9%
- HPE: +132.3%
- F5: +113.8%
In other words, the backlogs for developing these fixes have been seriously overwhelmed...
This significant increase is explained by the use of artificial intelligence to assist in the discovery of security flaws. For Anthropic partners, this is also due to the work carried out as part of Project Glasswing and the use of the Claude Mythos Preview model. This model has already helped identify hundreds of zero-day vulnerabilities in the products of Anthropic partners. Notable examples include Mozilla (Claude Mythos helped uncover vulnerabilities in Firefox), as well as Google, Apple, Palo Alto Networks, the Apache Software Foundation, and Microsoft.
The image above highlights a 563% increase in disclosures for Google Chrome. In fact, Google reportedly uses a combination of the Mythos model and its own AI systems for vulnerability identification. The year-over-year trend is striking, and we are not even halfway through 2026 yet!
Open source projects have also been significantly affected. The increase in reports on GitHub is broad and does not come from a single source. Madison Oliver Ficorilli from GitHub explains it this way: "No individual reporter accounts for more than ~3% of the volume, and no single project accounts for more than ~7%. This is not one person or one tool, it is a systemic shift in how vulnerability reporting is happening across the ecosystem."
It has to be said that open source projects are ideal playgrounds for AI, since the code is public...
Vulnerability Management: A Real Challenge
In VulnCheck's report, what is interesting beyond these numbers and the trend that keeps being confirmed is that the quality of submitted CVEs is also changing. It is true that at first, AI could surface just about anything, which made developers' jobs harder (and, frankly, it was annoying too).
Now, overall quality seems to be improving: "Our vulnerability reporting service was overwhelmed by an influx of submissions that, to be frank, were initially of poor quality. But over the past few months, the quality of the reports we have received has improved significantly, without any decrease in overall volume," notes the report published by VulnCheck.
However, it is still not perfect. For example, Daniel Stenberg, the maintainer of Curl, tends to temper the immediate success of AI-assisted flaw discovery by pointing out that out of five initially "confirmed" vulnerabilities reported by Mythos, only one turned out to be a valid CVE after human review.
Is this spike temporary, or will it remain at such a level for several more months or years? Time will tell. What is certain is that the volume of vulnerabilities to process has never been higher. Let’s end with this excellent VulnCheck visual, which illustrates the situation well.
