www.it-connect.fr
Mozilla Firefox Fixes 423 Security Flaws in April 2026 Thanks to AI
Brace yourself: 423 security flaws were fixed in the Mozilla Firefox web browser in April 2026. Thanks to the use of AI, including Claude Mythos from Anthropic, Mozilla teams were able to identify many previously unknown vulnerabilities.
AI, the New Pillar of Code Analysis
Vulnerability research is evolving with artificial intelligence, especially with the most capable models. An article published by Brian Grinstead, Christian Holler, and Frederik Braun, Mozilla engineers, looks back at this extraordinary vulnerability hunt carried out in Firefox's code over the past several weeks.
As they explain, "it is inexpensive and easy to ask an LLM to find a \"problem\" in code, but slow and costly to respond to it." In other words, we can't waste time checking false positives... However, the situation is improving for two reasons:
- AI model capabilities have improved significantly,
- Researchers using them have improved too, especially in optimizing the techniques used to leverage them (prompting, chaining, etc.).
"Over the past few years, we have run internal experiments on code auditing using LLMs, starting with models such as GPT-4 or Sonnet 3.5 to statically analyze high-risk code for vulnerabilities. These experiments were promising, but the high false-positive rate made them difficult to scale.", we can read.
To achieve satisfactory results, Mozilla set up an automated security pipeline (called an agentic harness) coupled with its existing fuzzing infrastructure. Tests were carried out notably with Claude Opus 4.6, using a system capable of creating and running reproducible test scenarios to prove that a bug exists. This makes it possible to filter out false alerts and integrate efficiently into the classic vulnerability handling lifecycle (detection, deduplication, triage, and fix deployment).
The Arrival of Claude Mythos Preview
Claude Opus 4.6 was also backed by Claude Mythos Preview, the most powerful model currently available and one that is not publicly accessible. As a result, in April 2026 alone, Mozilla fixed a total of 423 security flaws in its Firefox browser. It is worth recalling that Claude Mythos Preview helped identify 271 vulnerabilities whose patches were integrated into Firefox 150 (as well as in updates 149.0.2, 150.0.1, and 150.0.2).
If we look at the severity of the 271 flaws discovered thanks to Claude Mythos Preview, here is the breakdown:
- 180 high-severity flaws: these are vulnerabilities that can be triggered by normal user behavior, such as simply browsing a web page.
- 80 moderate-severity flaws: these are weaknesses that require complex and unusual actions from the victim.
- 11 low-severity flaws: issues that cause disruptions, such as a browser crash, but pose no direct danger to the user or their data.
In its report, Mozilla included some additional details about certain vulnerabilities. These include vulnerabilities that have been present in Firefox for 15 or 20 years, such as an XSLT flaw.
Beyond discovering these vulnerabilities, AI also made it possible to test and validate the robustness of certain defense mechanisms. "What the models did not find is just as interesting as what they did discover — not because they did not try, but because they were unable to bypass Firefox's layered defenses.", we can read.
It should be noted that to address all of these security issues, Mozilla was able to rely on around a hundred contributors! Let us end with this sentence: "The current moment is perilous, but also full of opportunity. Let us work together to secure the Internet."
