AI Finds Hundreds of Firefox Bugs

A browser bug is a mistake in code that can crash a tab, leak data, or let an attacker run code — and Mozilla says Firefox 150 fixed 271 of them after testing Anthropic’s Claude Mythos Preview. (blog.mozilla.org) Mozilla’s developer notes say Firefox 150 shipped on April 21, 2026. Mozilla’s security advisory for that release lists dozens of CVEs and credits multiple Firefox bugs to “using Claude from Anthropic.” (developer.mozilla.org, mozilla.org) Anthropic and Mozilla had already disclosed a smaller March 6 collaboration in which Claude Opus 4.6 found 22 Firefox vulnerabilities in two weeks, including 14 Mozilla rated high severity. Anthropic said that total was nearly a fifth of all high-severity Firefox vulnerabilities remediated in 2025. (anthropic.com) Mozilla said the newer Mythos evaluation was an “initial evaluation” with an early preview model, not a public product rollout. In a post published April 21, Mozilla wrote that the 271 fixes landed in Firefox 150 after that test. (blog.mozilla.org) A vulnerability is a flaw that creates an opening for abuse; fuzzing is the practice of throwing huge volumes of malformed inputs at software to make those openings appear. Mozilla’s advisory for Firefox 150 separately credits its fuzzing team on memory-safety bugs, showing the AI sweep landed alongside older automated testing methods rather than replacing them. (mozilla.org) Many of the Firefox 150 bugs were memory-safety problems such as use-after-free and uninitialized memory. Those are coding errors where a program reuses freed data or reads data before it is properly set, and they can lead to crashes, data leaks, or code execution. (mozilla.org) Mozilla also said the flood of findings changed the economics of browser defense. Firefox Chief Technology Officer Bobby Holley wrote that one bug of this class “would have been red-alert in 2025,” but defenders now have to prepare for many arriving at once. (blog.mozilla.org) Anthropic has framed the same shift in broader terms, saying Claude had already found more than 500 zero-day vulnerabilities in open-source software before the Firefox write-up. Its Mythos Preview page says companies that have not adopted language-model bugfinding tools could still uncover “many hundreds” of flaws with current frontier models. (anthropic.com, red.anthropic.com) That does not mean every AI-generated report is useful. Mozilla wrote last month that AI-assisted bug reports have had a “mixed track record,” and said Anthropic’s reports stood out because they included minimal test cases that let engineers reproduce the issues quickly. (blog.mozilla.org) The immediate takeaway for Firefox users is simpler than the research story: update the browser. Mozilla has already shipped the fixes in Firefox 150, and its own posts now describe AI-assisted bug hunting as part of the security work needed to keep pace. (developer.mozilla.org, blog.mozilla.org)