AI model finds 271 Firefox zero‑days

A browser flaw is a coding mistake that can let a website break out of its lane, and Mozilla said Firefox 150 fixed 271 vulnerabilities found with Anthropic’s Claude Mythos Preview. (blog.mozilla.org) Mozilla said the fixes shipped on April 21, 2026, in Firefox 150 after its team used an early Mythos model in an evaluation that began in February. Mozilla had previously used Anthropic’s Claude Opus 4.6 and said that earlier run led to fixes for 22 security-sensitive bugs in Firefox 148. (blog.mozilla.org) (anthropic.com) A zero-day is a bug the vendor did not know about before it was reported, and Anthropic said Claude had already found more than 500 such flaws across well-tested open-source software. Anthropic said Firefox was chosen because it is a large, heavily audited codebase used by hundreds of millions of people. (anthropic.com) Mozilla’s April 21 advisory lists more than 40 Common Vulnerabilities and Exposures, or CVEs, in Firefox 150, including high-impact bugs such as use-after-free, privilege-escalation and memory-safety issues. The advisory credits Claude from Anthropic on three named CVEs: CVE-2026-6746, CVE-2026-6757 and CVE-2026-6758. (mozilla.org) Security researchers said the gap between 271 internal findings and about 40 public CVEs likely means many of the bugs were lower-severity defects, hardening fixes or issues that do not get their own public identifier. Mozilla has not published a full bug-by-bug breakdown of all 271 findings. (securityweek.com) (mozilla.org) Mozilla said the model did not uncover some alien class of defect; Firefox Chief Technology Officer Bobby Holley wrote that the bugs still looked like the kinds of problems an elite human researcher could find. He said the change was speed and volume, not a new physics of software failure. (blog.mozilla.org) Anthropic is not broadly releasing Mythos Preview. The company said in April that it was limiting access through Project Glasswing, a program with partners including Amazon Web Services, Apple, Cisco, Google, Microsoft, Nvidia and Palo Alto Networks. (anthropic.com) (red.anthropic.com) Anthropic also said Mythos Preview can identify and exploit zero-day vulnerabilities in every major operating system and major web browser when directed by a user. The United Kingdom’s AI Security Institute said the model was stronger than earlier frontier systems at chaining tasks together into multi-step attacks. (red.anthropic.com) (aisi.gov.uk) Mozilla said Firefox has long relied on layered defenses such as process sandboxes, Rust code and fuzzing, which is automated crash-testing for software. Its latest post argues those older tools are now being joined by language models that can read code, reason about program behavior and hand engineers a much larger repair queue. (blog.mozilla.org) For Firefox users, the immediate fact is simpler than the policy fight: version 150, released April 21, 2026, carries the fixes. Mozilla’s security team said the work is not finished, but the 271-bug patch set is already in the browser people download today. (developer.mozilla.org) (mozilla.org)