Claude AI Discovers 22 Security Vulnerabilities in Firefox in Just 14 Days — Ushering In AI-Powered Bug Hunting
Anthropic's Claude Opus 4.6 found 22 CVEs in Firefox during a two-week audit with Mozilla, including 14 high-severity flaws that traditional fuzz testing had missed.
AI as Bug Hunter
The idea of AI finding real-world security vulnerabilities in production software has long been theoretical. It's not theoretical anymore. Anthropic and Mozilla jointly announced that Claude Opus 4.6 discovered 22 previously unknown security vulnerabilities in Firefox — including 14 rated high severity — during a two-week security audit in February 2026.
The partnership saw Anthropic submit 112 bug reports to Mozilla in total. Of those, 22 received formal CVE designations for security-sensitive flaws. The rest were non-security bugs — logic errors, performance issues, and edge cases — that had evaded detection through years of conventional testing.
What Did Claude Find?
The vulnerabilities spanned Firefox's memory management, access boundary conditions, and security safeguards. Most notably, Claude identified distinct classes of logic errors that Mozilla's existing fuzz testing infrastructure had never uncovered — a meaningful result, given that Firefox already employs one of the most sophisticated fuzzing pipelines in the open-source world.
One finding stood out: CVE-2026-2796, a JIT miscompilation bug in Firefox's JavaScript WebAssembly component, received a CVSS score of 9.8 — critical severity. Anthropic's red team spent approximately $4,000 in API credits developing proof-of-concept exploits, successfully demonstrating exploitability in two cases including this one.
Most of the discovered vulnerabilities have already been patched in Firefox 148, with the remainder scheduled for upcoming releases.
Why This Matters for Defensive AI Security
This is one of the first large-scale demonstrations of AI being used proactively for defensive security research on production software. Rather than waiting for attackers to discover and exploit vulnerabilities, Claude identified 22 flaws in the time it would take a human security team to thoroughly audit a fraction of Firefox's massive codebase.
The broader project was even more ambitious. While testing Claude Opus 4.6, Anthropic uncovered more than 500 previously unknown flaws across multiple open-source projects — Firefox was just the highest-profile target.
For the AI security community, this partnership represents exactly the kind of constructive application that builds trust: AI working alongside human security teams to harden the software that billions of people depend on every day.
Sources: Anthropic Blog (March 6, 2026), Mozilla Blog (March 6, 2026), TechCrunch (March 6, 2026), The Hacker News (March 6, 2026)