Mozilla has patched a record-breaking 423 security vulnerabilities in Firefox after deploying an agentic AI pipeline powered by Anthropic’s Claude Mythos Preview model, marking what security researchers are calling the most significant browser hardening effort in history.
The fixes, shipped across Firefox 149.0.2, 150, 150.0.1, and 150.0.2, mark a significant shift in how open-source projects can use advanced AI to detect latent, previously unfindable bugs at unprecedented scale.
Mozilla’s AI-assisted security journey began earlier in 2026 with Anthropic’s Claude Opus 4.6, which identified 22 security-sensitive bugs in Firefox 148 over a two-week testing period, 14 of which were classified as high severity.
Those early results were promising but modest. Everything changed when Mozilla gained early access to Claude Mythos Preview through Anthropic’s restricted Project Glasswing program.
In a single evaluation pass, Claude Mythos Preview identified 271 vulnerabilities that were fixed in the Firefox 150 release. Combined with bugs found through other means during the same period, Mozilla’s total patch count for April 2026 reached 423, more than five times the 76 fixes issued in March and nearly 20 times the 31 fixes shipped in April 2025.
Mozilla CTO Bobby Holley described the findings as producing “vertigo,” and declared that “defenders finally have a chance to win, decisively.”
Mozilla AI Fixes 423 Firefox Bugs
The bugs uncovered by the AI harness were not trivial. Among the most critical disclosed findings was a 15-year-old flaw in the HTML <legend> element triggered by orchestrating edge cases across recursion stack depth limits, expando properties, and cycle collection; and a 20-year-old XSLT vulnerability in which reentrant key() calls caused a hash table rehash that freed its ba, cleaving store while a raw entry pointer in use.
Other notable bugs included a race condition over Inter-Process Communication (IPC) that allowed a compromised content process to manipulate IndexedDB reference counts and trigger a use-after-free (UAF), enabling a potential sandbox escape; a raw NaN value crossing an IPC boundary that could masquerade as a tagged JavaScript object pointer.
Turning double deserialization into a parent-process fake-object primitive; and a buffer over-read during HTTPS RR and ECH parsing triggered by simulating a malicious DNS server intercepting glibc DNS function calls. Officially, three CVEs to Claude’s discoveries: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.
Within Firefox’s JavaScript engine alone, the model converted over 72% of identified vulnerabilities into working proof-of-concept exploits, while achieving partial control, such as register manipulation, in an additional 11.6% of cases. These are capabilities that traditionally require elite human exploit developers working for months.
Mozilla’s engineering team did not simply point a model at Firefox’s source code and wait for results. The team built a full agentic harness atop its existing fuzzing infrastructure, then parallelized jobs across multiple ephemeral virtual machines, with each VM tasked with hunting for bugs in a specific target file and reporting findings back to a central bucket.
The key innovation was agentic feedback: unlike static LLM analysis that generates plausible but unverified findings, the harness creates and runs reproducible test cases to dynamically confirm whether a hypothetical bug is real and exploitable.
This eliminated the false-positive problem that had historically made AI-generated vulnerability reports an unwanted burden on maintainers: the same report that was cheap to generate with an LLM was slow and expensive for developers to triage and dismiss.
The full pipeline integrated deduplication against known issues, automated bug tracking, triage workflows, and release management, requiring significant iteration with the Firefox engineering team. Over 100 people ultimately contributed code to ship patches stemming from this effort.
One of the most significant findings was not a new vulnerability but a validation of previous architectural decisions. Audit logs from the harness revealed numerous attempts by AI to escape Firefox’s process sandbox via prototype pollution, a technique previously exploited by human researchers.
Each attempt was blocked by an architectural change Mozilla had previously made to freeze these prototypes by default, demonstrating direct, measurable payoff from defense-in-depth engineering.
Mozilla also reported that its in-process sandboxing technology for third-party libraries, RLBox, was tested by the AI, which identified a gap in the verification logic used to copy values from the untrusted to the trusted sandbox boundary. This bug went undetected by conventional fuzzing.
Looking ahead, Mozilla intends to integrate AI-based scanning directly into its continuous integration (CI) system to automatically audit patches as they land in the codebase, shifting from file-based scanning to real-time patch-based analysis.
Security experts note that the Mozilla-Anthropic collaboration signals a new inflection point, not just for browser security but for the entire software ecosystem. “Nothing Mythos found couldn’t have been found by a skilled human,” noted David Shipley of Beauceron Security. “The AI is not finding a new class of AI-exclusive super bugs. It’s just finding a lot of stuff that was missed.”
The dual-use risk remains the same capability that helps defenders audit code, which could be wielded offensively. However, Mozilla’s results suggest that defenders who proactively deploy these pipelines gain a decisive first-mover advantage in eliminating entire classes of exploitable bugs before attackers can weaponize them.
FAQ
Q1: How many Firefox vulnerabilities did Claude Mythos find?
Claude Mythos Preview identified 271 vulnerabilities in a single evaluation cycle, contributing to a total of 423 fixes shipped by Mozilla in April 2026.
Q2: What types of bugs did the AI discover in Firefox?
The AI found sandbox escapes, use-after-free bugs, race conditions over IPC, decades-old XSLT and HTML rendering flaws, and buffer over-reads in parsing logic.
Q3: Were the AI-found vulnerabilities actually exploitable?
Yes, within Firefox’s JavaScript engine, Claude converted over 72% of identified bugs into working proof-of-concept exploits, confirming real-world severity.
Q4: Can other software projects replicate Mozilla’s AI security pipeline?
Mozilla says any project can start today using an agentic harness with a modern AI model, beginning with simple prompting and iterating toward a full automated pipeline.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
