How Claude Mythos Found 271 Firefox Vulnerabilities

TL;DR

Anthropic's unreleased frontier model Claude Mythos Preview identified 271 security vulnerabilities in Firefox during a single evaluation pass with Mozilla's security team. The fixes shipped in Firefox 150 on April 21, 2026 under Mozilla Foundation Security Advisory MFSA 2026-30, which lists 41 public CVEs — three of them explicitly credited to Claude (CVE-2026-6746, CVE-2026-6757, CVE-2026-6758). Across all of April 2026, Mozilla shipped 423 total security fixes — 271 from the Mythos pass, 41 externally reported, and 111 found internally — with over 100 Mozilla contributors patching, reviewing, and triaging the backlog.¹²³ It is one of the largest single AI-assisted vulnerability disclosures on record for a major browser.

What You'll Learn

• The exact scope of the Firefox 150 patch and what MFSA 2026-30 contains
• Why only 3 of the 271 bugs received public CVEs
• How Mozilla's three-track agentic pipeline (fuzzing, manual, AI-agent) actually works
• The performance gap between Claude Opus 4.6 (22 bugs) and Mythos Preview (271 bugs)
• What Project Glasswing means for other critical-software maintainers
• How defenders should reset their security playbooks after this result

Firefox 150 in Numbers

Mozilla released Firefox 150 on April 21, 2026, accompanied by MFSA 2026-30, the security advisory that ships alongside every major Firefox release. The advisory's public CVE table contains 41 entries, including the standard memory-safety rollups Mozilla files at each release boundary.¹

That 41-CVE figure is what most security trackers picked up. What sets this release apart is the longer tail behind it. In a separate disclosure on the same day, Mozilla announced that Firefox 150's patch set includes fixes for 271 additional vulnerabilities identified during an initial evaluation of an early version of Claude Mythos Preview.²

The full April scoreboard, published two weeks later on the Mozilla Hacks blog:³

For comparison, Mozilla shipped roughly 31 security fixes in April of the prior year.³ The April 2026 fix volume is more than 13× the year-over-year baseline.

Why Only 3 CVEs Are Credited to Claude

A common point of confusion in initial coverage was the gap between "271 vulnerabilities" and the 3 CVE numbers (CVE-2026-6746, CVE-2026-6757, CVE-2026-6758) explicitly tied to Claude in MFSA 2026-30.⁴

The discrepancy is not a contradiction. Public CVEs are issued for vulnerabilities meeting a defined severity threshold — typically remote code execution, sandbox escape, or other high-impact classes that warrant disclosure to downstream packagers and operators. The remaining bugs Mythos surfaced fall into categories that Mozilla routinely fixes without filing CVEs:

• Defense-in-depth issues that mitigate, but don't directly enable, exploitation
• Hardening improvements where a code path was unsafe by audit, but not provably exploitable
• Bugs in non-exploitable code paths that are still worth patching for correctness
• Lower-severity logic bugs that are fixed quietly without public coordination

Three of the 271 met the bar for a public CVE. The other 268 quietly shipped as part of Firefox 150's normal release, which is the conservative and correct way to handle them — Mozilla doesn't inflate its CVE count to advertise the haul.

Mozilla's Three-Track Bug-Hunting Pipeline

On May 7, 2026, Mozilla's security team published a behind-the-scenes write-up describing how the 423 fixes actually got shipped. The team confirmed that Firefox's bug-discovery process now runs along three parallel tracks:³

1. Continuous fuzzing systems — long-running, mutation-based input generation against parsers, decoders, and the JavaScript engine.
2. Manual inspection — code review, threat modeling, and human security research targeted at high-risk components.
3. A new agentic AI pipeline — Claude Mythos Preview plus other frontier models, run against Firefox through a custom harness that reflects the codebase's semantics, tooling, and processes.

Mozilla emphasizes that the AI track is codebase-specific, not a generic scanner. The harness runs against a sanitizer build of Firefox and uses an AddressSanitizer crash as the deterministic success signal, with a retry loop until the agent produces a verified proof-of-concept — eliminating most of the speculative false positives that plagued earlier static-analysis attempts.

Two things changed between the Opus 4.6 trial in February and the Mythos pass in April, according to the post-mortem:

• The models got more capable. Mythos Preview's vulnerability-discovery and exploit-development abilities are not incremental improvements on Opus 4.6 — they are step-function jumps (see the next section).
• The harness got better. Mozilla iterated heavily on how it steers, scales, and stacks models — generating high-volume signal and filtering noise before it ever reaches a human triager.

The result: a 100+ person internal effort to patch, review, test, and ship a fix volume that would have taken months under the prior workflow.

From 22 to 271: The Mythos vs. Opus 4.6 Gap

The Firefox 150 result is best read against the Firefox 148 baseline. In February 2026, Mozilla ran a similar — but smaller-scale — experiment with Claude Opus 4.6. That run produced 22 confirmed Firefox vulnerabilities in roughly two weeks, with fixes shipping in Firefox 148 (released February 24, 2026).⁵

Two months later, the Mythos Preview pass produced 271. The capability jump is visible across every benchmark Anthropic published:⁶

The Firefox 147 JavaScript-engine exploit-development trial is the most concrete capability delta. Given the same vulnerabilities to weaponize, Opus 4.6 produced two working JS-shell exploits across several hundred attempts. Mythos Preview produced 181 — a roughly 90× improvement on the same task.⁶

That capability profile is why Anthropic decided not to release Mythos publicly. It is also why Mozilla was an early invited partner.

Project Glasswing: The Distribution Model

Mythos Preview is not available on the public Claude API. Access is restricted through Project Glasswing, the Anthropic-led coalition announced alongside the model on April 7, 2026.⁷

The 12 launch partners cover the surface area where a model with these capabilities matters most: cloud, consumer OS, network infrastructure, finance, and the Linux ecosystem.

Anthropic has extended Mythos Preview access to more than 40 additional organizations that maintain critical software infrastructure, and committed up to $100 million in usage credits plus $4 million in direct donations to open-source security organizations to fund the work.⁷ For partners outside the credit pool, Mythos Preview is priced at $25 per million input tokens and $125 per million output tokens — five times the price of Claude Opus 4.6 ($5 / $25).⁸ The context window is 1M input tokens with a 128K output ceiling.⁸

Palo Alto Networks, one of the launch partners, published its own evaluation in its April 2026 Defender's Guide. Its summary: in less than three weeks of model-assisted analysis, the team matched a full year of manual penetration-testing effort, with broader coverage than the human-only baseline.⁹

What This Means Outside Firefox

Firefox is a heavily fuzzed, heavily audited codebase with full-time security staffing. If Mythos Preview can find 271 vulnerabilities on that surface in one evaluation, the implication for codebases without those resources is uncomfortable.

A few defensive conclusions are starting to land:

• Maintained software accumulates more latent risk than fuzzing suggests. Many of the bugs in the Firefox 150 set survived years of automated testing. Mythos surfaced them because it reasons about semantics, not just inputs.
• The pipeline is codebase-specific work, not a plug-in. Mozilla's results required substantial harness engineering. There is no off-the-shelf "scan with Mythos" workflow yet, and Anthropic has restricted Mythos Preview's use to defensive cybersecurity work under the Project Glasswing terms.
• The 90-day patch cycle is going to feel different. When a single evaluation cycle produces 271 fixes shipping in one release, the downstream pressure on packagers, embedded OEMs, and LTS distributions changes shape. Mozilla absorbed it because it owns the codebase end-to-end; vendors with stricter change-control may not have the same luxury.
• Public credit is going to undercount AI-found bugs. Only 3 of the 271 Mozilla fixes will appear in CVE statistics. Anyone tracking AI's impact on security via CVE counts alone will systematically underestimate it.

For a broader take on what Mythos Preview can do beyond Firefox — including the 27-year-old OpenBSD bug it surfaced and the broader Project Glasswing announcement — see Claude Mythos Preview: The AI Too Dangerous to Release. For the UK AI Security Institute's independent evaluation of Mythos against expert-level CTF challenges, see AISI Claude Mythos Eval: AI Owns 32-Step Network Attack. And for evidence that the capability frontier is jagged — that some 3.6B parameter models can match Mythos on specific tasks — see AI Cybersecurity's Jagged Frontier: Small Models vs Mythos.

The Bottom Line

The Firefox 150 patch is one of the first large-scale, publicly documented demonstrations of what AI-assisted vulnerability research looks like at frontier scale. 271 fixes in one sweep, 423 across the month, against a codebase that already had elite human and fuzzing coverage — that is the new baseline. The headline number isn't 271; the headline is that 268 of the bugs Mozilla patched will never get a CVE, and almost everyone tracking AI-and-security via CVE feeds is about to start undercounting.

For maintainers of critical software, the implication is straightforward: the gap between "we are well-audited" and "we have material latent risk" just narrowed. Mythos didn't find bugs that fuzzing was about to find next week. It found bugs that years of fuzzing missed.