Recently, Claude Opus 4.6 found 22 security vulnerabilities in Firefox in just two weeks. Fourteen earned high-severity classifications, which is almost 20% of all high-severity Firefox bugs patched throughout 2025. Anthropic’s research went further than discovery: Claude actually wrote working exploits for some of these bugs.
Mozilla validated the findings and shipped fixes in Firefox 148 as the work shows AI can now find security flaws in battle-tested codebases at speeds humans can’t match. However, there’s a darker side: attackers could use these same capabilities to develop exploits faster than ever before.
Anthropic’s Frontier Red Team contacted Mozilla in late February after Claude flagged bugs in Firefox’s JavaScript engine. Mozilla engineers Brian Grinstead and Christian Holler said most AI-generated bug reports are garbage, yet these were different. Each came with minimal test cases, detailed proofs of concept, and candidate patches. Their team could quickly verify and reproduce the issues.
The 22 CVEs exceed the number of vulnerabilities reported in any single month in 2025, as Claude found 90 additional bugs beyond the security-critical ones, most of which are now fixed. Moreover, Mozilla pointed out something interesting: some findings matched traditional fuzzing results, yet others represented entirely new classes of logic errors that fuzzers never caught.
(Source: Anthropic blog post)
Grinstead and Holler stated that, despite Firefox having undergone extensive fuzzing, static analysis, and regular security reviews for decades, the model revealed many previously unknown bugs. They compared this moment to the early days of fuzzing, suggesting there is likely a substantial backlog of now-discoverable bugs across widely deployed software.
Anthropic’s evaluation went beyond vulnerability discovery to test whether Claude could develop exploits. The team gave Claude access to the discovered vulnerabilities and tasked it with producing working exploits that could read and write local files in a target system. After approximately $4,000 in API credits and hundreds of attempts, Claude successfully created exploits in two cases.
One such exploit targeted CVE-2026-2796, a JIT miscompilation in the JavaScript WebAssembly component. In a detailed technical analysis, Anthropic’s security researchers reverse-engineered Claude’s exploit, which exploited a type confusion vulnerability involving Function.prototype.call.bind() wrappers.
The vulnerability allowed Claude to develop exploitation primitives, including ‘addrof’ (leak an object’s address) and ‘fakeobj’ (forge a JavaScript object reference to an arbitrary address). Claude then used these to create a fake ArrayBuffer for arbitrary read/write access, ultimately achieving code execution. However, the exploit only worked in a testing environment that intentionally removed some security features, including Firefox’s sandbox.
Anthropic researchers noted:
The exploits Claude wrote only worked on our testing environment, which intentionally removed some of the security features found in modern browsers. This includes, most importantly, the sandbox, the purpose of which is to reduce the impact of these types of vulnerabilities.
They emphasized that Opus 4.6 turned vulnerabilities into exploits in only two cases, despite hundreds of attempts targeting dozens of bugs.
The disparity between Claude’s vulnerability discovery and exploitation capabilities gives defenders a temporary advantage. Anthropic stated that frontier language models are now world-class vulnerability researchers, but cautioned that “looking at the rate of progress, it is unlikely that the gap between frontier models’ vulnerability discovery and exploitation abilities will last very long.”
Mozilla has already started integrating AI-assisted analysis into its internal security workflows. The collaboration established best practices for submitting AI-generated bug reports, including the importance of including minimal test cases, detailed proofs of concept, and candidate patches.
Anthropic published its Coordinated Vulnerability Disclosure operating principles, describing procedures for working with maintainers. The company acknowledged that these processes follow standard industry norms but may need to be adjusted as model capabilities improve.
The work follows Anthropic’s previous research, demonstrating that Claude found more than 500 zero-day vulnerabilities in well-tested open-source software. Anthropic recently launched Claude Code Security in a limited research preview, bringing vulnerability discovery and patching capabilities directly to customers and open-source maintainers.
Anthropic wants to do more of this. They’re expanding their security work: finding vulnerabilities in other projects, building tools to help maintainers triage reports, and writing patches directly. They’re hiring researchers to make it happen.
Lastly, Mozilla said the collaboration reflects how they’ve always approached new technology carefully, with user security front and center. In addition, Grinstead and Holler wrote that AI is accelerating both sides of the security equation, attacks and defenses, so Mozilla will continue investing in the tools, processes, and partnerships that keep Firefox ahead of threats.
The findings underscore an urgent reality as developers need to accelerate vulnerability discovery and patching before attackers can weaponize AI to exploit them.
