Firefox Uncovers 20-Year-Old Bugs with AI: How Mythos AI Fixed 423 Vulnerabilities in 30 Days

Mozilla’s latest Firefox security update offers a rare look at how frontier AI capabilities can empower defenders before attackers exploit them. In April 2026, the company fixed 423 Firefox security bugs after gaining access to Claude Mythos Preview, a significant jump from the roughly 420 fixes rolled out over the previous 14 months. This rapid acceleration signals a shift in how security vulnerabilities are identified and resolved in mature, heavily tested software.

The breakthrough underscores the potential of AI in uncovering latent risks within complex codebases. Mozilla compressed a year’s worth of security fixes into a single month, then disclosed a sample of the bugs to illustrate the depth of unresolved vulnerabilities still present in Firefox’s long-standing architecture.

Uncovering Decades-Old Flaws

The most striking discovery was a 20-year-old XSLT reentrancy bug (Bug 2025977), where key() calls could trigger a hash table rehash, free backing storage, and leave a raw entry pointer in use. Another critical find was a 15-year-old flaw in the HTML legend element (Bug 2024437). These types of long-buried defects often evade traditional testing methods—such as fuzzing, manual review, and bug bounty programs—because they reside in obscure edge cases, older subsystems, or intricate interactions across distant parts of the browser.

AI’s Role in Firefox’s Security Overhaul

Mozilla reported that Claude Mythos Preview helped identify and fix 271 bugs in Firefox 150, with additional patches shipped in versions 149.0.2, 150.0.1, and 150.0.2. Of these 271 bugs:

• 180 were rated sec-high
• 80 were rated sec-moderate
• 11 were rated sec-low

The surge in fixes is evident in Mozilla’s security bug fix volume graph, which shows a steady range of 20-30 fixes per month throughout 2025, spiking to 60-70 in February and March 2026, before reaching 423 in April 2026.

Mozilla’s security severity framework classifies sec-high vulnerabilities as those that can be triggered by normal user behavior—such as visiting a web page—placing these findings in a critical operational category, even without confirmed real-world exploitation.

Why Firefox’s Case Matters

Firefox is an old, high-value, and heavily scrutinized browser. Its code has been tested by internal teams, external researchers, automated fuzzers, bug bounty hunters, and attackers for decades. The April surge is particularly significant because it demonstrates that vulnerabilities can still emerge in projects with mature security engineering, not just in lightly reviewed or newly developed codebases.

From AI Discovery to Actionable Fixes

Mozilla previously found that AI-generated security reports for open-source projects often came with a high noise burden. While the reports appeared plausible, many were incorrect, creating an asymmetry: generating claims was cheap, but validating them required significant engineering time and expertise. However, the dynamic shifted as AI models improved and Mozilla developed a structured pipeline to harness their capabilities.

The company described a security pipeline that could:

• Steer models toward specific code areas
• Generate reproducible test cases
• Filter noise from AI-generated reports
• Deduplicate findings to avoid redundancy
• Triage severity levels accurately
• Move confirmed bugs into the security lifecycle for patching

In this system, the AI model provided the discovery power, while the surrounding infrastructure transformed raw findings into actionable, validated reports and patches. The disclosed sample in Mozilla’s technical write-up included a WebAssembly GC bug that could create a fake-object primitive with potential for arbitrary read or write operations, as well as IPC race conditions affecting parent-process references.