{"id":723311,"date":"2026-04-22T22:05:11","date_gmt":"2026-04-22T19:05:11","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/"},"modified":"2026-04-22T22:05:11","modified_gmt":"2026-04-22T19:05:11","slug":"mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/","title":{"rendered":"Mozilla fixes 271 Firefox vulnerabilities found by Anthropic&#8217;s Claude Mythos in a single evaluation pass"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2738e0ed49a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2738e0ed49a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/#What_Mythos_is_and_who_gets_to_use_it\" >What Mythos is, and who gets to use it<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/#The_defenders_argument\" >The defender\u2019s argument<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/#The_numbers_in_context\" >The numbers in context<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/mozilla-fixes-271-firefox-vulnerabilities-found-by-anthropics-claude-mythos-in-a-single-evaluation-pass\/#The_dual-use_problem\" >The dual-use problem<\/a><\/li><\/ul><\/nav><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/2026\/04\/mozilla-firefox-claude-mythos-271-vulnerabilities.avif\" \/><\/p>\n<div id=\"article-main-content\">\n<p><em>Summary: Mozilla released Firefox 150 with fixes for 271 security vulnerabilities identified by Anthropic\u2019s Claude Mythos Preview, an unreleased frontier AI model distributed under the restricted Project Glasswing programme. The collaboration began with Claude Opus 4.6 finding 22 bugs in Firefox 148 earlier this year; Mythos produced more than twelve times as many. Firefox CTO Bobby Holley said the defects are \u201cfinite\u201d and that defenders can \u201cfinally find them all,\u201d while the UK AI Security Institute confirmed Mythos can also execute autonomous multi-stage network attacks, making the dual-use tension the central policy question.<\/em><\/p>\n<p>Mozilla released Firefox 150 on Monday with fixes for 271 security vulnerabilities identified by Anthropic\u2019s Claude Mythos Preview, an unreleased frontier AI model restricted to a handful of organisations under Project Glasswing. The number is striking not because the bugs were exotic but because they were not. \u201c<em>We haven\u2019t seen any bugs that couldn\u2019t have been found by an elite human researcher,<\/em>\u201d Mozilla said in a blog post titled \u201c<em>The zero-days are numbered<\/em>.\u201d The point is that no human team could have found 271 of them this fast.<\/p>\n<p>The collaboration between Mozilla and Anthropic began earlier this year with a more modest effort. Starting in February, Firefox\u2019s security team used Claude Opus 4.6 to scan nearly 6,000 C++ files across the browser\u2019s codebase. That pass produced 112 unique reports, of which 22 were confirmed as security-sensitive bugs and shipped as fixes in Firefox 148. Fourteen were classified as high severity, representing almost a fifth of all high-severity Firefox vulnerabilities re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>ted in 2025. The Mythos evaluation, which followed as part of the continued partnership, produced more than twelve times as many confirmed vulnerabilities. Bobby Holley, Firefox\u2019s chief <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> officer, described the experience as giving the team \u201c<em>vertigo<\/em>.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_Mythos_is_and_who_gets_to_use_it\"><\/span>What Mythos is, and who gets to use it<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Claude Mythos Preview is the model at the centre of<span>\u00a0<\/span>Anthropic\u2019s restricted Mythos model<span>\u00a0<\/span>programme, Project Glasswing, announced on 7 April. It is a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>-purpose frontier model, not a security-specific tool, but its coding capabilities have crossed a threshold that Anthropic considers significant enough to warrant controlled distribution. The UK\u2019s AI Security Institute evaluated the model and found it capable of executing multi-stage network attacks autonomously, completing a 32-step corporate network attack simulation called \u201c<em>The Last Ones<\/em>\u201d in three out of ten attempts. It can chain multiple small vulnerabilities into a single devastating attack, reconstruct source code from deployed software to find exploitable weaknesses, and build custom tools for lateral movement and data extraction once inside a network.<\/p>\n<div class=\"inarticle-wrapper channel-cta\">\n<div class=\"ica-text\">\n<p class=\"ica-text__title\">TNW City Coworking space &#8211; Where your best work h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ens<\/p>\n<p>A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.<\/p>\n<\/div>\n<\/div>\n<p>Access is restricted to 12 named launch partners, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, with roughly 40 additional organisations granted access for defensive security work. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security organisations, including $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation and $1.5 million to the Apache Software Foundation. The model is available to Glasswing participants at $25 per million input tokens and $125 per million output tokens through the Claude API, Amazon Bedrock, Google Cloud\u2019s Vertex AI, and Microsoft Foundry.<\/p>\n<p>The restricted rollout has already been tested. On the same day Anthropic announced Glasswing, a group of<span>\u00a0<\/span>unauthorised users gained access<span>\u00a0<\/span>to Mythos Preview by guessing the model\u2019s URL through a third-party vendor environment, an incident Anthropic said it is investigating.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_defenders_argument\"><\/span>The defender\u2019s argument<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Holley framed the 271 vulnerabilities not as an indictment of Firefox\u2019s code quality but as evidence that the security landscape is shifting in favour of defenders for the first time. \u201c<em>A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug<\/em>,\u201d he wrote. \u201c<em>Closing this gap erodes the attacker\u2019s long-term advantage by making all discoveries cheap<\/em>.\u201d<\/p>\n<p>The logic is straightforward. A zero-day vulnerability is valuable to an attacker precisely because it is unknown. If a defender can find and patch the same bug before an attacker discovers it, the bug has no offensive value. The cost asymmetry has historically favoured attackers: a browser like Firefox has millions of lines of code, and a single undiscovered flaw in any of them is enough for exploitation. An elite human security researcher might spend weeks or months finding one such flaw. A model like Mythos can scan the entire codebase in a fraction of that time. Mozilla\u2019s thesis is that this changes the economics permanently. \u201c<em>Software like Firefox is designed in a modular way for humans to be able to reason about its correctness<\/em>,\u201d the blog post stated. \u201c<em>It is complex, but not arbitrarily complex. The defects are finite, and we are entering a world where we can finally find them all<\/em>.\u201d<\/p>\n<p>The claim is bold and deliberately so. Mozilla is arguing that the age of zero-day vulnerabilities in well-structured software has an expiration date, not because attackers will stop looking, but because defenders will get there first.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_numbers_in_context\"><\/span>The numbers in context<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The 271 figure requires some unpacking. Mozilla\u2019s official security advisory for Firefox 150, MFSA 2026-30, lists 41 CVE entries, three of which are standard memory-safety roll-ups that aggregate multiple individual bugs under a single identifier. The 271 number represents the total count of discrete code defects identified by Mythos during its evaluation, many of which were grouped into those CVE bundles. The distinction matters because the headline number and the formal advisory number measure different things: one measures what the AI found, the other measures<span>\u00a0<\/span>how much AI-generated code actually ships<span>\u00a0<\/span>through the industry\u2019s standard vulnerability disclosure process.<\/p>\n<p>The most dangerous flaws include use-after-free vulnerabilities in the DOM and WebRTC components, the kinds of memory safety bugs that have been the bread and butter of browser exploitation for two decades. These are not novel attack surfaces. They are the same categories of bugs that Google\u2019s Project Zero has been finding across browsers since 2014. Google\u2019s own AI vulnerability research programme, Big Sleep, a collaboration between Project Zero and DeepMind, found a zero-day in SQLite in October 2024 and has since expanded to discover multiple flaws in widely used software. The difference with Mozilla\u2019s effort is scale: 271 bugs in a single evaluation pass, patched before release, across a codebase that has accumulated technical debt over more than two decades.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_dual-use_problem\"><\/span>The dual-use problem<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The UK AI Security Institute\u2019s evaluation of Mythos Preview confirmed what the Mozilla results imply from the other direction: the same capabilities that make the model effective at finding vulnerabilities make it effective at exploiting them. The model became the first AI to complete \u201cThe Last Ones,\u201d a benchmark designed to simulate a full corporate network compromise. It succeeded in three out of ten attempts, averaging 22 of 32 steps across all runs. Independent testing confirmed that Mythos cannot reliably execute autonomous attacks against organisations with well-hardened defences, but the trajectory is clear. Each generation of frontier model has performed better on offensive security benchmarks than the last.<\/p>\n<p>This is the tension that Project Glasswing is designed to manage. By restricting Mythos to vetted organisations with defensive mandates, Anthropic is attempting to give defenders a structural head start, a window in which the good actors can scan and patch before the capabilities proliferate. The strategy depends on the restriction holding. The vendor breach on launch day suggests that containment is harder than access control. Anthropic has also identified thousands of zero-day vulnerabilities across every major operating system and every major web browser using Mythos, findings it is disclosing to the affected vendors through Glasswing.<\/p>\n<p>Anthropic\u2019s expanding enterprise footprint, from legal contract review in Microsoft Word to cybersecurity through Glasswing, reflects a company that is monetising Claude across every professional vertical where accuracy matters. The Mozilla partnership is the most dramatic demonstration yet, not because the model did something no human could do, but because it did what only a handful of humans can do, and did it 271 times in a single pass.<\/p>\n<p>Holley\u2019s conclusion captures both the promise and the vertigo: \u201cOur work isn\u2019t finished, but we\u2019ve turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively.\u201d Whether that future arrives depends on whether the models that find the bugs remain in the hands of the people who fix them, or whether the capabilities leak faster than the patches ship. For now, Firefox 150 has 271 fewer ways to be broken. That is not a small thing. The question is how long that advantage lasts when the tool that found them is<span>\u00a0<\/span>commanding extraordinary valuations<span>\u00a0<\/span>precisely because of what it can do.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/mozilla-firefox-claude-mythos-271-vulnerabilities\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Mozilla released Firefox 150 with fixes for 271 security vulnerabilities identified by Anthropic\u2019s Claude Mythos Preview, an unreleased frontier AI model distributed under the restricted Project Glasswing programme. The collaboration began with Claude Opus 4.6 finding 22 bugs in Firefox 148 earlier this year; Mythos produced more than twelve times as many. Firefox CTO&#8230;<\/p>\n","protected":false},"author":1,"featured_media":723312,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/04\/mozilla-firefox-claude-mythos-271-vulnerabilities.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-723311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/723311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=723311"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/723311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/723312"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=723311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=723311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=723311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}