Anthropic AI Finds 14 High-Severity Firefox Bugs in Two Weeks

Anthropic’s artificial intelligence model, Claude Opus 4.6, recently discovered 22 security vulnerabilities in the Firefox web browser during a focused two-week research period in early 2026. Of these findings, 14 were classified as high-severity flaws, representing nearly one-fifth of all high-severity Firefox vulnerabilities fixed by Mozilla in 2025. This rapid discovery demonstrates AI’s growing ability to identify critical software weaknesses more quickly than traditional human-led efforts.

AI Outperforms Human Bug Hunters

The large language model, Claude Opus 4.6, proved exceptionally efficient in its hunt for bugs. Mozilla researchers confirmed that the AI model uncovered more high-severity flaws in just two weeks than the global security research community typically reports in a two-month period. Thetotal number of vulnerabilities found by Claude Opus 4.6 in February 2026 surpassed the total reported from all sources in any single month of 2025. This speed suggests a significant shift in how software companies can approach vulnerability detection.^{[timesofindia+2]}

Mozilla engineers were initially contacted by Anthropic after Claude identified its first serious flaw. Brian Grinstead, an engineer at Mozilla, expressed enthusiasm for the findings. "What else do you have? Send us more," Grinstead said. This led to a close collaboration between Anthropic's Frontier Red Team and Mozilla’s security experts.^{[timesofindia]}

How Claude Found Firefox Flaws

Anthropic specifically chose Firefox for this test due to its complex codebase and its reputation as one of the most rigorously tested open-source projects globally. The AI model began by scanning nearly 6,000 C++ files across the Firefox codebase. Within just 20 minutes of starting its analysis, Claude Opus 4.6 identified a "Use After Free" vulnerability in Firefox’s JavaScript engine. This type of bug is a severe memory corruption issue that could allow attackers to overwrite data with malicious code.^{[timesofindia+12]}

Following this initial discovery, Anthropic submitted a total of 112 unique reports to Mozilla. These reports included the 22 security vulnerabilities, which comprised 14 high-severity, seven moderate-severity, and one low-severity issue. Mozillaquickly addressed most of these problems in Firefox 148, which was released in early 2026.^{[cyberpress+8]}

Mozilla researchers noted the significant impact of the AI's work. "AI is making it possible to detect severe security vulnerabilities at highly accelerated speeds," they stated. They added that the sheer volume and quality of the findings underscore the potential of AI in cybersecurity. "The scale of findings reflects the power of combining rigorous engineering with new analysis tools for continuous improvement," Mozilla said. "We view this as clear evidence that large-scale, AI-assisted analysis is a powerful new addition in security engineers' toolbox."^{[securityaffairs+7]}

Limitations and Future of AI in Security

Despite its success in finding vulnerabilities, Claude Opus 4.6 showed limitations in exploiting them. Anthropic researchers tasked the AI with creating functional exploits for the discovered bugs. After hundreds of attempts and spending approximately $4,000 in API credits, Claude only succeeded in creating two "crude browser exploits." These exploits only worked in a controlled testing environment where Firefox’s built-in security features, like sandboxing, were intentionally disabled. This suggests that while AI excels at detection, the complex task of weaponizing vulnerabilities still largely requires human expertise.^[pcmag+12]

Experts also caution against over-reliance on AI for security. Daniel Stenberg, a lead developer at software firm curl, noted that his company has seen "an explosion in AI slop reports." He indicated that fewer than one in 20 bugs reported to curl in 2025 were actually real, highlighting the issue of AI "hallucinating" security problems.^[pcmag+1]

Anthropic recently launched Claude Code Security, a new initiative aimed at using AI to both highlight vulnerabilities and suggest targeted fixes for human review. This movesignals Anthropic’s deeper push into the cybersecurity sector. The collaboration with Mozilla highlights a growing trend where AI tools act as powerful assistants, augmenting human security teams rather than fully replacing them. The goal is to secure software infrastructure more effectively before malicious actors can exploit newly discovered flaws.^[pcmag+4]