Mozilla fixed 423 security bugs in Firefox during April 2026 — a tally that exceeds the roughly 420 flaws patched over the prior 14 months. The rapid-fire cleanup relied on Anthropic’s Claude Mythos Preview, which the organization used to identify, triage, and help fix vulnerabilities at a pace the team described as compressing 14 months of work into four weeks.
A 20-year-old bug and a 15-year-old flaw
Among the disclosed bugs was Bug 2025977, a 20-year-old XSLT reentrancy issue that had lurked in the codebase since the early days of the browser. Another, Bug 2024437, was a 15-year-old flaw in the HTML <legend> element. Both were found and patched as part of the AI-assisted effort.
In total, Claude Mythos Preview helped Mozilla fix 271 bugs in the Firefox 150 release alone. Additional fixes landed in versions 149.0.2, 150.0.1, and 150.0.2. Of the 271 Firefox 150 bugs, 180 were rated sec-high, 180 were rated sec-moderate, and 11 were sec-low. (The numbers add up to 371, a discrepancy Mozilla did not immediately explain.)
How the AI pipeline worked
Mozilla built a dedicated pipeline to steer the AI toward specific areas of the codebase, generate reproducible test cases, filter out noise, deduplicate findings, triage severity, and move confirmed bugs into the standard security lifecycle. The goal was to cut down on the high noise burden that AI-generated security reports have historically carried when submitted to open-source projects. With improved models and a tailored harness, that dynamic appears to have shifted.
Sample bugs caught by the system included a WebAssembly GC bug, multiple IPC race conditions, a raw NaN deserialization issue, parent-process stack memory leakage, use-after-free flaws, and several sandbox escape candidates. Sandbox escapes are among the more dangerous classes of vulnerability — they typically require an attacker to compromise a content process first, then exploit a second bug to reach a privileged process.
Acceleration on the defensive side
Mozilla stated that the defensive side effectively compressed 14 months of vulnerability discovery and patching into a single month. That suggests a significant acceleration in the cycle from finding a bug to shipping a fix. The organization did not say whether the AI-assisted approach would become a permanent part of its security workflow, but the April numbers make a strong case for continued use.
The open-source community has long dealt with a flood of low-quality automated reports. Mozilla’s experience with Claude Mythos Preview indicates that with proper filtering and a focused harness, AI can produce actionable results at scale — and uncover bugs that had sat untouched for years.
Mozilla has not yet announced specific plans for the next round of AI-assisted audits. The Firefox 150 release is now out, and the team is likely already running the pipeline against the codebase for future updates.
