Mozilla has made significant strides in enhancing the security of its Firefox browser, addressing a staggering 423 security vulnerabilities in April 2026 alone. This effort is nearly twenty times the monthly average from the previous year. The improvement was largely driven by a pioneering AI framework centered around Anthropic’s Claude Mythos Preview and other advanced language models.
AI-Driven Security Enhancements
The unprecedented number of vulnerabilities fixed was largely due to Mozilla’s early access to Claude Mythos Preview, which identified 271 of the total issues. These fixes were primarily included in the release of Firefox 150 on April 21, 2026, with additional corrections applied to versions 149.0.2, 150.0.1, and 150.0.2. Of the 271 vulnerabilities identified by Claude Mythos Preview in Firefox 150, 180 were considered high risk, 80 moderate, and 11 low, many of which could be exploited through normal user activities like visiting a harmful webpage.
Comprehensive Vulnerability Management
In addition to the AI-detected bugs, the remaining 152 vulnerabilities involved 41 reports from external sources and 111 discovered internally through various methods. These methods included other AI models and traditional fuzzing techniques. Notably, Anthropic’s Frontier Red Team contributed to the resolution of three distinct CVEs: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.
Mozilla has publicly shared 12 significant bug reports to highlight the depth of AI analysis. These include longstanding flaws such as a 15-year-old issue with the HTML element and a 20-year-old use-after-free (UAF) bug in Firefox’s XSLT engine. Several of these bugs enable critical sandbox escapes, which are notoriously difficult to detect using traditional methods, demonstrating the value of AI in identifying such vulnerabilities.
The Future of AI in Software Security
Mozilla’s approach evolved from initial attempts with static-analysis tools using GPT-4 and Claude Sonnet 3.5, which produced excessive false positives. The key advancement came with agentic harness systems that not only propose bug hypotheses but also generate reproducible test cases to verify them, minimizing false positives and enabling large-scale deployment.
The AI-driven process builds on Mozilla’s existing fuzzing infrastructure, using multiple virtual machines to search for vulnerabilities in specific code areas. Mozilla has integrated the complete security bug lifecycle into this system, from deduplication to patch tracking and release management, involving over 100 contributors in the review, testing, and deployment of patches.
Despite the successes, Mozilla’s AI system also highlighted the effectiveness of previous security measures. Attempts to exploit prototype pollution for sandbox escapes were thwarted by Mozilla’s strategy to freeze JavaScript prototypes, underscoring the importance of defense-in-depth.
Looking forward, Mozilla plans to incorporate this AI pipeline into its continuous integration system, allowing for real-time scanning of new patches. This advancement signifies a major step in utilizing AI to enhance cybersecurity and maintain robust software defense strategies.
