Claude Mythos helped Mozilla find 271 Firefox vulnerabilities ahead of Firefox 150

Mozilla says an early version of Anthropic’s Claude Mythos Preview helped its security team identify 271 vulnerabilities in Firefox, with fixes landing in Firefox 150 this week. The company described the result as a major shift in how defenders may find and fix serious software flaws at scale.

The work builds on an earlier collaboration announced in March. At that stage, Anthropic said Claude Opus 4.6 found 22 Firefox vulnerabilities in a two-week engagement, and Mozilla shipped those fixes in Firefox 148. Anthropic said that run produced more Firefox vulnerability reports in one month than any single month in 2025.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Mozilla now says the follow-up evaluation with Claude Mythos Preview went much further. In a blog post published on April 22, 2026, the company said Firefox 150 includes fixes for 271 vulnerabilities identified during this initial Mythos evaluation.

Mozilla says AI bug hunting has entered a new phase

Mozilla framed the findings as more than a one-off research success. The company said the volume of issues forced its team to confront how quickly advanced AI systems can now surface security weaknesses in mature software that already receives heavy scrutiny from human researchers and traditional tooling.

Anthropic makes similar claims about Mythos Preview’s offensive security capability. In its April 7 write-up, the company said the model can identify and exploit zero-day vulnerabilities across major operating systems and browsers when directed to do so, and that many of the flaws it finds are subtle, old, and hard to detect.

That said, the official Mozilla language matters here. Mozilla’s post says Firefox 150 fixed 271 vulnerabilities identified during the evaluation, but the public security advisory for Firefox 150 does not list 271 separate CVE entries. Instead, Mozilla groups some issues together, including broader memory safety bug buckets, which means the raw number of vulnerabilities and the number of advisory items are not the same thing.

What Firefox 150 actually fixed

Mozilla’s Firefox 150 advisory, published April 21, 2026, flags the release as high impact and includes multiple serious issues, including use-after-free bugs and grouped memory safety flaws that could potentially lead to arbitrary code execution. One of the listed entries credits Claude from Anthropic alongside named researchers for reporting a high-severity DOM issue tracked as CVE-2026-6746.

The advisory also includes grouped entries for memory safety bugs fixed across Firefox, Thunderbird, and ESR releases. Mozilla notes that some of those bugs showed evidence of memory corruption and presumes that, with enough effort, some could have been exploited to run arbitrary code.

That makes the Firefox 150 release significant even without repeating every headline claim from secondary coverage. The official record clearly shows that Mozilla shipped a security-heavy update and directly tied at least part of that work to Anthropic’s model-assisted research.

Why the Mythos claims matter beyond Firefox

Anthropic says Mythos Preview represents a major leap in automated vulnerability research. In its official write-up, the company said the model can autonomously find and exploit zero-days across major browsers and operating systems, and cited examples such as a 27-year-old OpenBSD bug and older flaws in FFmpeg and FreeBSD.

Mozilla’s blog suggests the broader security impact may be uneven. The company argued that large organizations may still be able to absorb a sudden rise in high-quality vulnerability reports, but smaller open-source projects could struggle if frontier AI systems begin generating far more actionable findings than maintainers can realistically triage and patch.

In other words, Firefox may be an early example of a much bigger transition. If frontier models can reliably surface serious flaws in hardened and widely audited codebases, defenders gain a powerful new tool, but software teams may also face a flood of valid bug reports that changes the economics of secure development.

Key facts at a glance

The table reflects official Mozilla and Anthropic statements.

What security teams should take from this

• AI-assisted code review is moving from experiment to real-world vulnerability discovery.
• Public advisories may not map one-to-one with the total number of flaws a model identifies. Grouped fixes can hide that complexity.
• Mature projects with strong security processes may adapt faster than smaller open-source teams.
• Browser and operating system vendors now need to plan for much faster vulnerability discovery cycles.

FAQ