Mozilla announced on May 7, 2026, that it used Claude Mythos Preview to identify 271 security vulnerabilities in Firefox, which were fixed across versions 149.0.2, 150, 150.0.1, and 150.0.2. The vulnerabilities included 180 security-high severity issues, 80 security-moderate, and 11 security-low, representing a dramatic increase in vulnerability discovery compared to traditional methods.
April 2026 Saw 423 Total Security Fixes, Up from 20-30 Per Month
In April 2026 alone, Mozilla fixed 423 total security bugs—a dramatic increase from the previous 20-30 per month throughout 2025. The team built an "agentic harness" that could dynamically test hypotheses about vulnerabilities by creating and running reproducible test cases. They started with Claude Opus 4.6, then upgraded to Claude Mythos Preview, parallelizing jobs across ephemeral VMs with each targeting specific files.
Critical Vulnerabilities Include Decades-Old Flaws
Notable vulnerabilities discovered include a 15-year-old flaw in the HTML legend element, a 20-year-old XSLT bug involving reentrant key() calls, a race condition over IPC allowing compromised content processes to manipulate IndexedDB refcounts and trigger use-after-free, and a buffer over-read during HTTPS RR and ECH parsing. Several were sandbox escapes requiring chaining with other exploits for full Firefox compromise.
Three CVEs Credited to Claude in Firefox 150
More than 40 CVEs were addressed in Firefox 150, with three credited directly to Claude: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758. Over 100 Mozilla employees contributed to shipping these fixes.
Agentic Approach Eliminates False Positive Problem
Mozilla engineers emphasized that unlike early LLM code audits that generated excessive false positives, the agentic approach proved effective because harnesses could "find real bugs and dismiss unreproducible speculation" through dynamic testing capabilities. Key to success was integrating discovery with Firefox's existing fuzzing infrastructure and creating project-specific pipelines for deduplication, triaging, and bug tracking. According to Mozilla Hacks, "The introduction of agentic harnesses that can reliably detect security issues has completely changed this."
Key Takeaways
- Mozilla used Claude Mythos Preview to identify 271 security vulnerabilities in Firefox, including 180 high-severity, 80 moderate, and 11 low-severity issues
- Mozilla fixed 423 total security bugs in April 2026 alone, up from the previous average of 20-30 per month throughout 2025
- The agentic harness approach eliminated false positives by dynamically testing and reproducing vulnerabilities, unlike traditional LLM code audits
- Notable discoveries included a 15-year-old HTML legend element flaw and a 20-year-old XSLT bug, with several sandbox escapes requiring exploit chaining
- Three CVEs in Firefox 150 were credited directly to Claude: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758