technology
Mozilla Fixes 423 Vulnerabilities in Firefox
The Firefox developer fixed 423 security bugs in April after employing an AI agent harness with Anthropic's limited-access model. Among the flaws were issues undetected for 20 years. Mozilla plans to integrate the approach deeper into its development pipeline.
Audio version
Tap play to generate a narrated version.
Mozilla used Anthropic's Claude Mythos Preview to discover 271 Firefox security vulnerabilities, prompting fixes that contributed to a sharp rise in patched bugs during its April releases. The organization fixed 423 security bugs in those April releases. That compared with 25 security bugs fixed in January 2026 and 76 security bugs fixed in March 2026.
Of the 271 bugs found using Mythos, 180 were rated sec-high by Mozilla, 80 were rated sec-moderate and 11 were rated sec-low. Mozilla developed a custom agent harness to guide Claude Mythos Preview through analysis of Firefox source code. The agent harness provides Mythos with tools to read and write files, evaluate test cases, craft test cases and run them against Firefox's sanitizer build.
A second LLM is used to grade output from the first LLM analyzing Firefox code. Mozilla posted a blog on May 8, 2026 detailing its use of Claude Mythos Preview. The company unhid full Bugzilla reports for 12 of the 271 vulnerabilities discovered using Mythos.
The 12 disclosed bugs include test cases that meet Mozilla's criteria for security vulnerabilities in Firefox. One bug discovered by Mythos had existed undetected for 20 years. One bug discovered by Mythos was a 15-year-old issue in an HTML element caused by rare edge-case interactions.
One bug discovered by Mythos was a 20-year-old XSLT bug where repeated key() calls could free memory while still in use. One bug involved an incorrect equality check in Firefox's JIT engine that could skip initializing a WebAssembly structure, potentially allowing arbitrary memory read and write.
One bug involved a race condition over inter-process communication that could let a compromised content process manipulate IndexedDB reference counts and trigger a use-after-free.
One bug involved raw NaN values crossing an IPC boundary being mistaken for JavaScript object pointers, potentially allowing sandbox escape. One bug exploited special rowspan=0 table behavior by adding over 65,535 rows, causing an overflow in a 16-bit layout field.
