Security News Anthropic’s Claude found 22 vulnerabilities in Firefox over two weeks

[Miravi]

Content source

https://techcrunch.com/2026/03/06/anthropics-claude-found-22-vulnerabilities-in-firefox-over-two-weeks/

In a recent security partnership with Mozilla, Anthropic found 22 separate vulnerabilities in Firefox — 14 of them classified as “high-severity.” Most of the bugs have been fixed in Firefox 148 (the version released this February), although a few fixes will have to wait for the next release.

Anthropic’s team used Claude Opus 4.6 over the span of two weeks, starting in the JavaScript engine and then expanding to other portions of the codebase. According to the post, the team focused on Firefox because “it’s both a complex codebase and one of the most well-tested and secure open-source projects in the world.”

Notably, Claude Opus was much better at finding vulnerabilities than writing software to exploit them. The team ended up spending $4,000 in API credits trying to concoct proof-of-concept exploits, but only succeeded in two cases.

Anthropic's Claude found 22 vulnerabilities in Firefox over two weeks | TechCrunch

In a recent security partnership with Mozilla, Anthropic found 22 separate vulnerabilities in Firefox — 14 of them classified as "high-severity."

techcrunch.com

 

[Halp2001]

It’s an interesting case of how the collaboration between Mozilla’s open‑source model and AI‑assisted auditing can deliver tangible results. Beyond metrics or costs, the important thing is that capabilities are being combined to make digital walls stronger.

In the end, the fact that a project as thoroughly tested as Firefox found 22 new flaws thanks to this collaboration is good news for everyone’s security.

 

[Miravi]

There's much more to be found in Anthropic's write-up: Partnering with Mozilla to improve Firefox’s security

AI Just Found More High-Severity Bugs in Firefox in Two Weeks Than Most Months in 2025​

"AI models can now independently identify high-severity vulnerabilities in complex software."

"In this post, we share details of a collaboration with researchers at Mozilla in which Claude Opus 4.6 discovered 22 vulnerabilities over the course of two weeks. Of these, Mozilla assigned 14 as high-severity vulnerabilities—almost a fifth of all high-severity Firefox vulnerabilities that were remediated in 2025."

"Claude Opus 4.6 found 22 vulnerabilities in February 2026, more than were reported in any single month in 2025."

"As part of this collaboration, Mozilla fielded a large number of reports from us, helped us understand what types of findings warranted submitting a bug report, and shipped fixes to hundreds of millions of users in Firefox 148.0."

A Breakthrough Discovery in Minutes​

"After just twenty minutes of exploration, Claude Opus 4.6 reported that it had identified a Use After Free [...] in the JavaScript engine."

"In the time it took us to validate and submit this first vulnerability to Firefox, Claude had already discovered fifty more unique crashing inputs."

"By the end of this effort, we had scanned nearly 6,000 C++ files and submitted a total of 112 unique reports."

The Defender's Edge—for Now​

"Opus 4.6 is currently far better at identifying and fixing vulnerabilities than at exploiting them. This gives defenders the advantage."

"Claude is much better at finding these bugs than it is at exploiting them."

"The cost of identifying vulnerabilities is an order of magnitude cheaper than creating an exploit for them."

"Despite this, Opus 4.6 was only able to actually turn the vulnerability into an exploit in two cases."

"However, the fact that Claude could succeed at automatically developing a crude browser exploit, even if only in a few cases, is concerning."

"But looking at the rate of progress, it is unlikely that the gap between frontier models’ vulnerability discovery and exploitation abilities will last very long."

"Frontier language models are now world-class vulnerability researchers."

 

[Parkinsond]

Firefox: Look who's talkin'!!

Security Flaws in Anthropic’s Claude Code Risk Stolen Data, System Takeover

https://devops.com/security-flaws-in-anthropics-claude-code-risk-stolen-data-system-takeover/

 

[SeriousHoax]

I guess it proves the point that when people say, we see fewer vulnerabilities in Firefox, because there are fewer eyes on it and attackers target it less often than Chromium.

 

[Parkinsond]

I guess it proves the point that when people say, we see fewer vulnerabilities in Firefox, because there are fewer eyes on it and attackers target it less often than Chromium.

The same as "Linux is more secure" myth.

 

[ForgottenSeer 123960]

The same as "Linux is more secure" myth.

Linux runs the vast majority of the internet's servers, cloud infrastructure, and smartphones (Android). It is an incredibly high-value target and is attacked relentlessly every single second of the day. If Linux were inherently insecure and only protected by "low market share," the modern internet would collapse.

 

[Parkinsond]

Linux runs the vast majority of the internet's servers, cloud infrastructure, and smartphones (Android). It is an incredibly high-value target and is attacked relentlessly every single second of the day. If Linux were inherently insecure and only protected by "low market share," the modern internet would collapse.

As if servers and smartphones are not compromised everyday!

 

[ForgottenSeer 123960]

As if servers and smartphones are not compromised everyday!

Right, because 'more secure' obviously means 'literally impossible to hack under any circumstances ever.'

Linux runs Azure, AWS, Google Cloud, the global financial system, and billions of phones. It faces millions of automated attacks every single minute. If its security model was actually a myth and just based on 'low market share,' the modern internet would have collapsed a decade ago.

 

[Parkinsond]

If its security model was actually a myth

I did not say it is "insecure"; I have said "it is not more secure"; precision.

 

[ForgottenSeer 123960]

I did not say it is "insecure"; I have said "it is not more secure"; precision.

You originally stated that Linux being more secure is a 'myth,' but even with your 'precision,' you're ignoring basic threat modeling. Security isn't a binary state; it's a sliding scale based on architecture and attack surfaces. Linux's sandboxing, privilege separation, and permission structures natively provide a much higher baseline of security, meaning it is fundamentally more secure out-of-the-box. <---

When a Linux setup actually gets breached, it is almost never because of a flaw in the Linux kernel itself. Most Linux breaches happen due to human error, administrators leaving doors wide open through severe misconfigurations, using weak or default credentials, or running vulnerable, unpatched third-party applications on top of the OS. The fact that attackers have to rely so heavily on these application-layer mistakes or social engineering to compromise a system proves that the underlying operating system is doing the heavy lifting.