Firefox 150: Claude Found 271 Bugs, 3 Got Credits
Mozilla's blog says Claude Mythos Preview uncovered 271 vulnerabilities patched in Firefox 150. The security advisory lists 36 CVEs, and only three of them credit Anthropic. The gap is the whole story.
7 min read
On 21 April, Mozilla shipped Firefox 150 and simultaneously published a blog post from CTO Bobby Holley arguing that AI-assisted security review is about to flip the attacker-defender economics of the internet. The headline number: 271 vulnerabilities found during an initial evaluation with an early build of Claude Mythos Preview and fixed in this release. The problem is that Mozilla's own security advisory for the same release, MFSA 2026-30, lists 36 CVEs - and only three of them credit Anthropic's model. That gap isn't a rounding error. It's the story.
Firefox 150 by the Numbers
| Metric | Mozilla blog | MFSA 2026-30 advisory |
|---|---|---|
| Vulnerabilities claimed | 271 | - |
| CVEs issued | - | 36 |
| Memory-safety rollups | - | 3 |
| Claude-credited CVEs | 271 (implied) | 3 |
| Previous release (148) | 22 | 22 |
What Mozilla Says
Holley's post, "The zero-days are numbered," frames Firefox 150 as the first release to benefit from a deep AI-driven audit. The model in question is the same Claude Mythos Preview Anthropic rolled out under Project Glasswing - the restricted cybersecurity model that a Discord group accessed on day one using a contractor credential and a leaked URL pattern.
Mozilla's argument is that the model reasons through source code the way an elite human researcher does, and therefore reaches bugs that fuzzers can't.
"So far we've found no category or complexity of vulnerability that humans can find that this model can't," Holley writes. "The defects are finite, and we are entering a world where we can finally find them all."
And later, sharper:
"Defenders finally have a chance to win, decisively."
That's a large claim. Its supporting evidence, as published, is the number 271.
Firefox 150 shipped 21 April 2026, the same day Bloomberg's reporting on the Mythos Discord breach landed. The model Mozilla used to audit its own code was also the model an unauthorised Discord group was using to build websites.
Source: unsplash.com
What the Advisory Says
MFSA 2026-30 is the public security advisory that accompanies Firefox 150. Its contents, read line by line, look like this:
| Category | Count | Notes |
|---|---|---|
| High-impact CVEs | ~8 | Use-after-free, invalid pointer, RCE primitives |
| Moderate/low CVEs | ~25 | Same-origin, UI spoofing, permission prompts |
| Memory-safety rollups | 3 | CVE-2026-6784, 6785, 6786 - bundled Bug Bash entries |
| CVEs crediting Claude | 3 | CVE-2026-6746, CVE-2026-6757, CVE-2026-6758 |
The three Claude-credited entries, as documented in blog.mozilla.org's AI post and confirmed by The Register's read of the advisory:
- CVE-2026-6746 - Use-after-free in the DOM. High impact.
- CVE-2026-6757 - Invalid pointer in the JavaScript engine's WebAssembly subsystem.
- CVE-2026-6758 - Use-after-free in WebAssembly.
All three list the same researcher bloc: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger, each noted as "using Claude from Anthropic." That's the entire AI-credited surface area of MFSA 2026-30.
The other 33 CVEs - and the three rollups - don't mention Claude at all.
The Gap Between the Two Numbers
Security-journalism outlet flyingpenguin.com walked through the discrepancy in detail, noting that Mozilla changed its accounting method between Firefox 148 and Firefox 150 without disclosure. In the 148 release, the advisory CVE count and the blog post's findings count agreed one-to-one at 22. In the 150 release, they diverge by a factor of nine. Three candidate explanations exist for the 271 figure:
Possibility 1: Pre-triage submissions
Mozilla may be counting initial Claude reports before de-duplication, rejection, and triage. In Firefox 148, Mozilla disclosed that 112 pre-triage findings produced 22 CVEs, a funnel the company showed. The 271 in Firefox 150 could be the equivalent funnel input - no funnel shown.
Possibility 2: Non-exploitable fixes
A subset of the 271 may be code changes Mozilla chose to land defensively after Claude flagged them, without ever assigning a CVE. That's a legitimate engineering practice. It's also not the same class of artefact as a shipped, credited CVE.
Possibility 3: Instance multiplication
One underlying bug pattern, surfaced across multiple files or subsystems, could be counted as multiple findings. A single use-after-free idiom applied across ten call sites counts as one CVE but could produce ten "flagged instances" in a Claude session log.
Mozilla hasn't said which of these, or which combination, produced 271. Without the funnel, the comparison between "22 in Firefox 148" and "271 in Firefox 150" is a comparison between a disclosed pipeline and an opaque one.
The three Claude-credited CVEs are concentrated in the DOM and WebAssembly - exactly the memory-safety-heavy subsystems where AI-assisted pattern matching reaches furthest. They are also where Firefox has had the most CVE activity in prior releases.
Source: unsplash.com
Counter-Argument: Why the 271 Could Still Be Real
Holley would push back, and one of the pushbacks is defensible.
Defensive refactors are vulnerabilities. A class of bugs Mozilla fixed quietly - without CVE assignment because the path is unreachable today but would become reachable under a future config - is still a hardening gain. If Claude surfaced those methodically across the browser, the total defensive uplift isn't captured by the CVE count.
CVEs under-count. CVEs are an inbound artefact requiring a reporter, a severity adjudication, and coordinated disclosure bandwidth. For a single release to produce 36 CVEs is already high-signal; Firefox normally ships ~30 CVEs per major release. That 271 other fixes aren't CVEs does not mean they're not security-relevant.
Firefox 148 was a baseline. Firefox 148 was the first release with documented Claude involvement. The team was new to the tooling, the scope was narrower, the funnel was tighter. Firefox 150 represents the first full-surface sweep. A one-to-nine expansion isn't implausible if the 148 pass covered only a subset of the browser.
None of these, on their own, rescue the 271 as a credible advisory-compatible number. They do place a lower bound somewhere well above three.
The Researcher Bloc Tells You Something
The seven-person team that owns all three Claude-credited CVEs is a mixed bag, and worth reading.
- Nicholas Carlini - Anthropic's lead security research scientist, former Google Brain adversarial ML lead. Previously best known for breaking watermarking schemes and extracting training data from LLMs.
- Alex Gaynor - Formerly of the Firefox security team, now at Anthropic. Long-time Rust/memory-safety advocate; helped write the Servo CSS engine.
- Joel Weinberger - Former Google Chrome security engineer.
- Keane Lucas, Newton Cheng, Daniel Freeman, Evyatar Ben Asher - less-public researchers, likely Anthropic-internal security staff based on the consistent attribution.
This is not a community-of-researchers credit. It is a single Anthropic-led bloc running the model and handing Mozilla the output. That matters for reading the 271 claim: the upstream researcher workflow is Anthropic's, not Mozilla's, and the number that made it into the advisory reflects Mozilla's triage bar, not the model's.
What the Market Is Missing
Two things.
The first is that the real ratio - 271 claimed, 3 credited - isn't bad news for Anthropic. Three DOM and WebAssembly CVEs in a single release credited to AI-assisted analysis is a genuine artefact, and in a field where researchers often publish one such bug a year, a team shipping three at once with explicit AI tooling is material. What the ratio is, however, is a ceiling on the rhetoric. Holley's "defenders finally have a chance to win, decisively" is a sentence that fits a 271-to-0 advisory. It doesn't fit a 3-CVE advisory.
The second is that Mozilla is telling the AI-security story the way every other AI customer has told theirs - with input-funnel numbers at the top of the post and output-funnel numbers in the advisory, and no disclosed transfer function between them. For a browser that ships to half a billion users, that discipline gap is the thing to price in when reading the next release's bullet-point count.
The model is real. The CVEs are real. The 271 is a marketing number shaped like an engineering number, and until Mozilla publishes the funnel, it should be read as one.
Sources:
- The zero-days are numbered - Mozilla Blog (Bobby Holley), 21 April 2026
- Security Vulnerabilities fixed in Firefox 150 (MFSA 2026-30) - Mozilla Security Advisories
- Mythos found 271 Firefox flaws - none a human couldn't spot - The Register, 22 April 2026
- Claude Mythos finds 271 Firefox flaws, Mozilla believes it shifts security toward defenders - Help Net Security, 22 April 2026
- Mythos Mystery in Mozilla Numbers: How 22 Vulns Became 271 or Maybe 3 in April - flyingpenguin.com
- Mozilla Uses Anthropic's Mythos To Fix 271 Bugs In Firefox - Slashdot, 21 April 2026
- Mozilla says Claude's Mythos AI helped uncover 271 flaws in Firefox - CyberInsider, 21 April 2026
- Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities - GBHackers, 21 April 2026
