Mythos discovers 271 security bugs in Mozilla Firefox with magnifying glass highlighting vulnerabilities

Claude Mythos Found 271 Security Bugs in Firefox — Here is What You Need to Know

Bychirag

In what cybersecurity researchers are calling a watershed moment for AI-powered security research, Anthropic’s newly unveiled Claude Mythos Preview has identified 271 security vulnerabilities in Mozilla Firefox — all of which have been patched in Firefox 150, released April 2026. The scale and speed of the discovery is unlike anything the industry has seen before, and it is already reshaping how security teams think about vulnerability research.

What Happened: 271 Bugs, One AI Model, One Pass

Mozilla and Anthropic’s security collaboration began in February 2026. In an earlier phase, Mozilla applied Claude Opus 4.6 alongside Anthropic’s red team to Firefox 148 and uncovered 22 security-sensitive bugs — 14 of them high-severity. That was already considered an impressive result for a single AI-assisted review cycle.

Then came Claude Mythos Preview.

Applied to Firefox as part of Anthropic’s restricted Project Glasswing programme, Mythos returned 271 vulnerabilities in a single evaluation pass — more than twelve times the number found by its predecessor. All were patched before public disclosure, landing in the Firefox 150 release.

To put the scale in context: 271 vulnerabilities represents approximately 3.7 times the total high-severity issues Mozilla addressed across the entirety of 2025.

What Kinds of Bugs Did Claude Mythos Find?

The vulnerabilities span several critical categories within Firefox’s attack surface:

  • Rendering engine bugs — flaws in how Firefox processes and displays web content
  • Sandbox escape vulnerabilities — issues that could allow attackers to break out of Firefox’s isolated process sandbox
  • Memory safety issues — particularly notable given Firefox’s heavy use of Rust, a language specifically chosen for its memory safety guarantees
  • JavaScript engine flaws — Mythos successfully exploited 72.4% of identified vulnerabilities in Firefox’s JS environment and achieved register control in an additional 11.6% of cases

Mozilla noted that the discovered bugs were not entirely new categories of vulnerability — they were the kind that elite human researchers could theoretically find. The difference is that Mythos found 271 of them, at a speed and scale no human team could match.

“For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.”

— Bobby Holley, CTO of Firefox

Three CVEs Officially Credited to Claude

While 271 bugs were fixed in Firefox 150, three have received official CVE assignments credited directly to Claude Mythos in Mozilla’s security advisory:

  • CVE-2026-6746
  • CVE-2026-6757
  • CVE-2026-6758

The remaining vulnerabilities are likely lower-severity issues or flaws that do not individually meet the threshold for a public CVE, though Mozilla chose to patch all of them proactively.

What Is Claude Mythos Preview?

Claude Mythos is Anthropic’s latest frontier AI model, specifically engineered for deep technical reasoning. It has posted exceptional benchmark scores: 93.9% on SWE-bench (software engineering tasks) and 97.6% on USAMO (competition-level mathematics). But its most striking capability is its ability to reason through complex source code and identify security flaws that traditional automated tools like fuzzers completely miss.

Where fuzzers throw random inputs at a program and wait for crashes, Mythos reads code the way a human security researcher does — understanding context, tracking data flow, and identifying logical conditions that could be exploited. Computers, as Mozilla put it, “were completely incapable of doing this a few months ago, and now they excel at it.”

Project Glasswing: Restricted Early Access

Anthropic did not release Claude Mythos to the public. Instead, the company launched Project Glasswing, a selective programme granting early access to a small number of major organisations. Known members include:

  • AWS, Apple, Broadcom, Cisco, CrowdStrike
  • Google, JPMorgan Chase, Linux Foundation
  • Microsoft, Nvidia, Palo Alto Networks, Mozilla

The decision to restrict access reflects a deliberate choice by Anthropic: a model this capable of finding exploitable vulnerabilities carries significant dual-use risk if released publicly without guardrails.

Beyond Firefox: Legacy Bugs in Critical Infrastructure

The Firefox partnership is the most headline-grabbing application of Claude Mythos so far, but not the only one. The model has also surfaced buried vulnerabilities in foundational software that had gone undetected for decades:

  • A 27-year-old vulnerability in OpenBSD
  • A 16-year-old vulnerability in FFmpeg
  • A 17-year-old vulnerability in FreeBSD

These findings underscore a sobering reality: critical software that millions depend on every day may be carrying bugs that have existed since before many of today’s developers were born.

Does This Shift the Balance to Defenders?

Historically, cybersecurity has been an asymmetric game. Attackers need to find only one working vulnerability to succeed; defenders need to patch every single one. AI models like Claude Mythos could fundamentally change that equation.

“Defenders finally have a chance to win, decisively.”

— Bobby Holley, CTO of Firefox

Mozilla’s position is that the AI does not exceed what the very best human security researchers can do — but it can do it at machine speed and scale, across an entire codebase, without fatigue. Mozilla goes so far as to suggest we are “entering a world where we can finally find them all.”

Should Firefox Users Be Worried?

No — and this outcome is actually the best-case scenario for users. All 271 vulnerabilities were discovered by a defender and patched before any attacker could exploit them. There is no evidence that any of these flaws were known to or used by malicious actors.

The immediate action item for all Firefox users is simple: update to Firefox 150 if you have not already. The update includes fixes for all 271 vulnerabilities.

The Bigger Picture for the Security Industry

This story is not just about Firefox. It signals a structural change in how large-scale software security review will be conducted going forward. What once required a team of world-class researchers working for months can now be replicated by an AI model in a single pass.

For defenders with access, this is transformative. The question the industry now faces is not whether AI will reshape vulnerability research — that has already happened. The question is who gets access, and on what terms.

Firefox users should update immediately to Firefox 150 to receive all security patches. Check Mozilla’s official release notes for full details.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *