Anthropic Mythos Discovers 271 Firefox Vulnerabilities, Including Bugs Hidden for 15 Years

Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives"

The disbelief was palpable when Mozilla's CTO last month declared that AI-assisted vulnerability detection meant "zero-days are numbered" and "defenders finally have a chance to win, decisively." After all, it looked like part of an all-too familiar pattern: Cherry pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on. Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos -- an AI model for identifying software vulnerabilities -- to ferret out 271 Firefox security flaws over two months. In a post, Mozilla engineers said the finally ready-for-prime-time breakthrough they achieved was primarily the result of two things: (1) improvement in the models themselves and (2) Mozilla's development of a custom "harness" that supported Mythos as it analyzed Firefox source code. "Almost no false positives" The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with "unwanted slop." Typically, someone would prompt a model to analyze a block of code. The model would then produce plausible-reading bug reports, and often at unprecedented scales. Invariably, however, when human developers further investigated, they'd find a large percentage of the details had been hallucinated. The humans would then need to invest significant work handling the vulnerability reports the old-fashioned way. Mozilla's work with Mythos was different, Mozilla Distinguished Engineer Brian Grinstead said in an interview. The biggest differentiating factor was use of an agent harness, a piece of code that wraps around an LLM to guide it through a series of specific tasks. For such a harness to be useful, it requires significant resources to customize it to the project-specific semantics, tooling, and processes it will be used for. Grinstead described the harness his team built as "the code that drives the LLM in order to accomplish a goal. It gives the model instructions (e.g., 'find a bug in this file'), provides it tools (e.g., allowing it to read/write files and evaluate test cases), then runs it in a loop until completion." The harness gave Mythos access to the same tools and pipeline human Mozilla developers use, including the special Firefox build they use for testing. He elaborated: With these harnesses, so long as you can define a deterministic and clear success signal or task verification signal, you can just keep telling it to keep working. In our case when we're looking for memory safety issues we have our sanitizer build of Firefox and if you make it crash you win. We point that agent off to a source file and say: "we know there's an issue in this file, please go find it." It will craft test cases. We have our existing fuzzing systems and tools to be able to run those tests. It will say: "I think there's an issue here if I craft the HTML exactly so." It sends it off to a tool, the tool says yes or no. If the tool says yes then there's some additional verification. The additional verification comes in the form of a second LLM that grades the output from the first LLM. A high score gives developers the same confidence they have when viewing reports generated through more traditional discovery methods. "In terms of the bugs coming out on the other side, there are almost no false positives," he said. Thursday's behind-the-scenes view includes the unhiding of full Bugzilla reports for 12 of the 271 vulnerabilities Mozilla discovered using Mythos and to a lesser extent Claude Opus 4.6. The test cases -- meaning the HTML or other code that triggers an unsafe memory condition -- are provided in each one and meet the same criteria Mozilla requires for all bugs to be considered security vulnerabilities in Firefox. At least one researcher said Thursday that a cursory look at the reports showed they were "pretty impressive." Unlike previous vulnerability disclosure slop, Grinstead said, the details provided by its harness-guided Mythos analysis, and confirmed by the second LLM, and ultimately included in the reports, provide a level of confidence his team didn't have before. "That's the key thing that has unlocked our ability to operate at the scale we've been operating at now," he said. "It gives the engineer a crank they can pull that says: 'yep this has the problem,' and then you can iterate on the code and know clearly when you've fixed it and eventually land the test case in the tree such that you don't regress it." As noted earlier, Mozilla's characterization of AI-assisted vulnerability discovery as a game changer has been greeted with massive and vocal amounts of skepticism in many quarters. Critics initially scoffed when Mozilla didn't obtain CVE designations for any of the 271 vulnerabilities. Like many developers, however, Mozilla doesn't obtain CVE listings for internally discovered security bugs. Instead they are bundled into a single patch. Normally Bugzilla reports detailing these "rollups" are hidden for several months after being fixed to protect those who are slow to patch. Now that Mozilla has revealed a dozen of them, the same critics will surely claim they too were cherry picked and conceal less accurate results. The critics are right to keep pushing back. Hype is a key method for inflating the already high puffed-up valuations of AI companies. Given the extensive praise Mozilla has given to Mythos, it's easy for even more trusting people to wonder: What's it getting in return? Far from settling the debate, Thursday's elaborations are likely to only further stoke the controversy. To hear Grinstead tell it, however, the motivation is simple. "People are a bit burned from the last year of these slop commits so we felt it was important to show some of our work, open up some of the bugs, and talk about it in a little more detail as a way to hopefully spur some action or continue the conversation," he said. "There's no sort of marketing angle here. Our team has completely bought in on this approach. We are trying to get a message out about this technique in general and not any specific model provider, company, or anything like that."

How Anthropic's Mythos has rewritten Firefox's approach to cybersecurity | TechCrunch

When Anthropic unveiled its new Mythos model in April, it also delivered a stern warning to anyone developing software. The model was so powerful at sniffing out software vulnerabilities, the lab claimed, that it had discovered thousands of high-severity bugs that would need to be fixed before it could be made public. Now, security researchers for Mozilla's Firefox browser are providing a closer look at what that process has looked like in practice, and what Mythos' powers mean for software security at large. In a post published on Thursday, Mozilla said Mythos has unearthed a wealth of high-severity bugs, including some that had lain dormant in the code for more than a decade. That's a significant improvement from what AI security tools were capable of even six months ago. Until now, AI bug-finding tools have come with severe drawbacks, often inundating security teams with low quality reports and false positives. But Mozilla's researchers say the latest generation of tools have turned a corner, particularly now that agentic systems can assess their own work and filter out bad results. "It is difficult to overstate how much this dynamic changed for us over a few short months," the researchers wrote. "First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models." The results are striking: In April 2026, Firefox shipped 423 bug fixes, compared to just 31 exactly a year earlier. The researchers have also published details on 12 of the bugs, which range from a pair of unusual sandbox vulnerabilities, to a 15-year-old error in how the browser parses an HTML element. "These things are actually just suddenly very good," Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch. "We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry." The fact that the system helped reveal vulnerabilities in Firefox's "sandbox" system is particularly impressive, given how intricate an attack that exploits it needs to be. To find sandbox vulnerabilities, the model must write a compromised patch for the browser, then attack the most secure part of the software with the new code implemented. Finding and demonstrating the bug is a delicate, multi-step process, requiring both creativity and close attention. To put this into context, Mozilla's bug bounty program pays researchers who can find a bug in Firefox's sandbox up to $20,000 -- the highest reward available. Despite the top-dollar bounty, however, Grinstead says Mythos is finding more sandbox issues than human researchers ever did. "We do get them," he told TechCrunch, "but not at the volume that we are able to find with this technique." Notably, the Firefox team still isn't using AI to fix the bugs, despite well-documented progress in AI coding tools. The team does ask AI to code up patches for each bug, but the resulting code usually can't be deployed directly, and instead serves as a model for a human engineer. "For the bugs we're talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it," Grinstead says. "We have not found it to be automatable." It's still not clear how AI's emerging capabilities will change the broader balance of power in cybersecurity. One month since Mythos was previewed, most of the bugs discovered likely haven't been patched, which makes it hard to capture the full scope of their impact. Anthropic has been scrupulous about following responsible disclosure norms, but it's likely bad actors are using similar techniques behind the scenes, even if the models they're using aren't quite as good. Speaking at a recent event, Anthropic CEO Dario Amodei was optimistic that the new tools would ultimately favor defenders. "If we handle this right, we could be in a better position than we started, because we fixed all these bugs. There are only so many bugs to find," Amodei said. "So I think there's a better world on the other side of this." Having dealt with the gritty details, Grinstead has a more measured view: "It's useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet."

Mozilla boasts Mythos boosted Firefox bug cull

Yet it remains unclear if Anthropic's uber model was effective, or if better model middleware is what makes the difference Mozilla fixed 423 Firefox security bugs in April, a repair rate more than five times higher than the 76 fixes issued in March and almost 20 times higher than its 21.5 monthly average last year. The browser maker previously said Anthropic's ballyhooed Mythos Preview model found 271 of these in Firefox 150. Now, a trio of technical types has come forward to provide a bit more detail about what Mythos (and its less storied sibling Opus 4.6) actually found. But they also highlight something that may matter more than the model: the agentic harness - the middleware mediating between AI and the end user. Brian Grinstead, Firefox distinguished engineer, Christian Holler, Firefox tech lead, and Frederik Braun, head of the Firefox security team, observe that over the past few months, AI-generated security reports have gone from slop to rather more tasty. They attribute the transformation to better models and development of better ways of harnessing those models - steering them in a way that increases the ratio of signal to noise. But they also appear to be aware that there's some skepticism in the security community about Mythos. So they've decided to publicize selected wins in an effort to encourage others to jump aboard the AI bug remediation train. "Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox," they said. "Given the extraordinary level of interest in this topic and the urgency of action needed throughout the software ecosystem, we've made the calculated decision to unhide a small sample of the reports behind the fixes we recently shipped." The post links to a dozen Firefox bugs with varying degrees of severity. The list includes, for example, a 20-year-old heap use-after-free bug (high severity) that a web page could trigger using the XSLTProcessor DOM API without any user interaction. Many of these bugs are sandbox escapes, they note, which are difficult to find using techniques like fuzzing. AI analysis, they say, helps provide broader security coverage. And they add that it has helped validate prior browser hardening work designed to prevent prototype pollution attacks - audit logs showed AI models making unsuccessful exploitation attempts using this technique. Following Anthropic's announcement of Project Glasswing - a program for companies to gain early access to Mythos because it's touted as too dangerous for public release - security experts expressed skepticism. For example, Davi Ottenheimer, president of security consultancy flyingpenguin, wrote in an April 13 blog post, "The supposedly huge Anthropic 'step change' appears to be little more than a rounding error. The threat narrative so far appears to be ALL marketing and no real results. The Glasswing consortium is regulatory capture dressed up poorly as restraint." He subsequently ran a test in which he strapped Anthropic's lesser models Sonnet 4.6 and Haiku 4.5 into a harness called Wirken with an auditing skill called Lyrik. The result was eight findings in two minutes at a cost of about $0.75, Ottenheimer claims, noting that two of the eight matched bugs Mythos had identified. Other security folk have also reported that bug hunting and exploit development can be quite productive with off-the-shelf models like Opus 4.6, which among other virtues costs about 5x less than Mythos. In an email to The Register, Ottenheimer said, "There's a fundamental philosophical failure in the Mozilla post. A reading and a measurement are not the same thing. I don't see a measurement, but they seem to want us to believe we're looking at one. "When they give us the 'behind the scenes math' it's circular, a trick. 'Mythos found 271 bugs' is what Mythos found, not what other tools could not find against the same code. Why leave it as an assumption if it can be proven?" Ottenheimer said Mozilla advocates that every project adopt a similar approach without proving the merits of that approach. "It's like saying if you don't drink Coca-Cola, you can't run a mile under six minutes, because that's what a guy sponsored by Coca-Cola just did," he said. "The bar moves on rhetoric, marketing, not proper evidence. That is the capture crew again." He notes that the merits of Mythos might be more convincing if Mozilla had reported they couldn't do this work without Mythos. And since they're not saying that, he suggests, it's worth asking why there's no transparent comparison of Mythos to other models. He points to Mozilla's admission that Opus 4.6 was already identifying "an impressive amount of previously unknown vulnerabilities." "Mozilla never quantifies what Opus 4.6 [did] before saying what Mythos added," he said. "So 271 attributed to Mythos doesn't fit the analysis. And there's a deeper reveal when they say 'we dramatically improved our techniques for harnessing these models.' The improvement may be entirely in the harness, not as much in the model. This maps to my own experience. A nail gun has advantages over the hammer, yet without being in the right hands the outputs are as bad or worse." ®

Claude Mythos found decade old Firefox bugs that years of fuzzing missed

There's a 15-year-old bug hiding in Firefox's <legend> element - one of the most boring tags in HTML. It survived over a decade of fuzzing, manual audits, and security research. Claude Mythos found it in days. Also read: Genesis AI's human-sized robotic hands can cook, play piano, and solve a Rubik's cube That's the lead story from the thorough post-mortem by Mozilla detailing how it leveraged Claude Mythos Preview from Anthropic to discover and patch 271 security flaws in Firefox, leading to the most heavily patched version in the browser's history. Firefox 150 was released with all 271 security flaws patched; some extra patches were later rolled into Firefox 149.0.2 and 150.0.1. In April alone, Mozilla fixed 423 security flaws in total, a feat that would have been inconceivable just six months ago. A good example of how AI is solving problems that fuzzing can't is the <legend> bug, where a collision of three entirely independent Firefox behaviors causes a use-after-free vulnerability where the browser frees up memory still in use. Each behavior, on its own, appears innocent enough, but when all three come together, something nasty happens. As such, an automated fuzzer wouldn't have picked up the bug, but Claude Mythos found it because it was capable of making sense of all three behaviors coming together. Also read: Why OpenAI, AMD, NVIDIA, Intel, Broadcom, and Microsoft all agreed on one networking protocol That combinatorial reasoning is the core difference. Earlier attempts at AI-assisted security audits using models like GPT-4 and Claude Sonnet 3.5 produced too many false positives to be useful at scale; it's cheap to prompt a model to find a "problem" in code, but slow and expensive for engineers to chase down dead ends. What changed is the introduction of agentic harnesses: systems that don't just flag suspicious code but actually build and run reproducible test cases to confirm whether a bug is real. If it can't be reproduced, it gets dismissed automatically. That filter is what makes the pipeline scalable. Mozilla took a novel approach in building their own harness on top of existing fuzzing framework, distributed across numerous ephemeral VMs targeting specific codebase files. The bugs they discovered are anything but easy. In particular, they found several sandbox escape exploits which assume the compromise of a content process and an attack on the higher-level parent process. Bugs like these have proven notoriously difficult to detect with conventional techniques. A 20-year old vulnerability with a buggy implementation of XSLT, an NaN value capable of functioning as a pointer for a JavaScript object in cross-process communication, and a race condition allowing exploitation through the WebTransport protocol via massive flooding of certificate hashes - these are just some of the vulnerabilities that require multi-step reasoning to detect. Out of the 271 bugs found by Claude Mythos in Firefox version 150, a staggering 180 have been flagged as sec-high, and 80 have received sec-moderate labels. Mozilla also plans on integrating such automated scanning into their CI pipeline to immediately analyze any changes for potential vulnerabilities. The takeaway for the entire software industry? The bugs have already been found; the time to act is now.