Mozilla fixes 22 Firefox vulnerabilities discovered by Anthropic’s Claude AI

Mozilla patched 22 vulnerabilities in Firefox that were discovered by Anthropic’s Claude Opus 4.6 AI model.

Anthropic said Friday that Claude discovered the first vulnerability, a use-after-free in Firefox’s JavaScript engine, within 20 minutes of exploring the open-source browser’s codebase.

Human researchers validated the flaw, as well as a proposed patch written by Claude, and reported it through Mozilla’s Bugzilla issue tracker. Mozilla then invited Anthropic to submit future Claude-discovered flaws “in bulk” without the need to be manually validated by the Anthropic team, the company said.

“Critically, their bug reports included minimal test cases that allowed our security team to quickly verify and reproduce each issue,” Mozilla said in a blog post Friday.

Of the 22 CVEs discovered, Mozilla flagged 14 as high severity. The flaws were fixed in Firefox version 148 on Feb. 24, 2026.

Anthropic, Mozilla suggest best practices for AI-driven bug hunting

Anthropic emphasized the importance of working closely with open-source maintainers like Mozilla to avoid false positives and submit high-quality reports when using large language models (LLMs) for open-source vulnerability discovery.

Concerns have been raised about the recent surge in AI-generated bug reports for open-source projects, which can place a substantial burden on volunteer maintainers when reports lack detail or a proposed fix, an issue that led cURL to terminate its bug bounty program in January.

Related reading:

Firefox noted the importance of Anthropic’s inclusion of minimal test cases, detailed proofs-of-concept and candidate patches in enabling the maintainers to trust Claude’s results and resolve the issues.

“We strongly encourage researchers who use LLM-powered vulnerability research tools to include similar evidence of verification and reproducibility when submitting reports based on the output of such tooling,” Anthropic wrote.

The company also recommended the use of “task verifiers” when using AI agents to find and fix vulnerabilities; tools that allow the agent to “check its own work” in real time and ensure that a proposed fix removes the vulnerability without impacting the software’s functionality.

Anthropic also published its coordinated vulnerability disclosure policy for Claude-discovered vulnerabilities on Friday, which follows the industry-standard 90-day deadline with the possibility of deadline extensions and shorter 7-day deadlines for actively exploited critical flaws.

Anthropic’s policy also noted the role of human review in reports submitted by the company, clear labeling of reports stemming from AI discoveries and the fact that Anthropic does not submit large volumes of reports to a single project without first reaching an agreement with the maintainer.

Claude develops ‘crude’ exploit for Firefox CVE-2026-2796

As part of its red team efforts, Anthropic also assessed Claude Opus 4.6’s ability to develop exploits for the vulnerabilities it discovered in Firefox.

The team noted that, in most cases, the model was unsuccessful in developing an exploit, producing a “crude” exploit in only two out of several hundred attempts costing $4,000 worth of API credits.

The Claude-developed exploit was for a vulnerability tracked as CVE-2026-2796, a JIT miscompilation error in the JavaScript WebAssembly component, assigned a critical 9.8 CVSS score by the National Institute of Standards and Technology (NIST) in the National Vulnerability Database (NVD).

Claude’s exploit achieves arbitrary read/write abilities and code execution in Firefox’s JavaScript engine by leveraging type confusion. However, the Claude red team noted the exploit was only successful in a test environment with some browser security features removed.

“Claude isn’t yet writing ‘full-chain’ exploits that combine multiple vulnerabilities to escape the browser sandbox, which are what would cause real harm,” the team wrote. “[…] But the success we did observe signals that Claude is getting much closer to being capable of ful-chain exploits, and we think this result is an important early warning sign of where capabilities are heading.”