CourionAI Newsletter
← All news
security 2 min read

AI Is Now Hunting Software Bugs — and It's Finding a Lot of Them

The number of serious software vulnerabilities reported in a single month just jumped 3.5x to a record high, as AI models learn to find security holes on their own. Good news and bad news are tangled together here — and there's a simple takeaway for everyone.

Risograph illustration: a soaring bar chart of bug icons with a tall coral spike and a magnifying glass — a surge in vulnerabilities found by AI.

Something big is shifting in computer security, and researchers at Epoch AI have put a number on it. In June 2026, organizations reported around 1,500 serious software vulnerabilities — more than 3.5 times the previous monthly record. The cause is fairly clear: AI models have gotten good at finding security holes on their own, and they’ve been let loose.

A quick definition: a “vulnerability” (often called a CVE, which is just its public ID number) is a flaw in software that an attacker could exploit — a weak lock on a digital door. Finding these has traditionally been slow, skilled human work. Now AI does it at scale. Anthropic said earlier this year that one of its models can discover flaws autonomously, and its “Glasswing” program has reportedly uncovered more than 10,000 serious ones. OpenAI runs a similar effort. That’s why the chart suddenly spikes.

Here’s the tangle: is this good or bad? Both, and they’re wrapped together. Every one of these flaws already existed — the AI didn’t create them, it just found what was always there, so they can be fixed. That’s genuinely good; it’s draining a swamp. The catch is that fixing lags finding. Software has to be patched by maintainers, then those updates have to actually be installed by everyone running the software — and that human chain doesn’t speed up just because AI got faster at discovery. Worse, attackers get the same AI tools, so once a flaw is public, it can be weaponized quickly. Anthropic itself warned that its models find bugs faster than developers can patch them. Fair caveat: CVE counts are a noisy measure and severity is self-assigned by reporters — but a 3.5x jump is hard to wave away.

What this means for you: The gap between “flaw discovered” and “flaw exploited” is shrinking, which makes the boring advice suddenly urgent. Turn on automatic updates everywhere you can — your phone, computer, apps, and especially anything you run yourself like a home server or website. Keep a simple list of the software your household or business actually uses, so you know what needs patching. And if you maintain any open-source software, brace for more AI-generated bug reports landing in your inbox — and set aside time to sort the real ones from the noise.

Sources

Source: https://epoch.ai/data/cve

Next story

Google's Power Use Jumped 37% in One Year — and AI Is the Reason

Google's own environmental report shows its electricity use rising at a record pace, its data centers now drawing more power than some entire countries. A clear look at what the AI boom actually costs in energy — and why it's a quiet argument for right-sizing your AI.

Risograph illustration: an electricity meter with its coral needle climbing steeply beside server buildings — soaring power use from AI.