A collaboration between Anthropic and Mozilla shows how artificial intelligence can help security researchers detect software flaws faster.

Anthropic has discovered 22 security vulnerabilities in the Mozilla Firefox web browser as part of a security partnership with Mozilla.

Researchers found the issues during a two-week testing period in January 2026. Most of the vulnerabilities were fixed in Firefox version 148, released last month.

Several High-Severity Bugs Identified

Out of the 22 vulnerabilities discovered:

• 14 were classified as high severity
• 7 were rated moderate
• 1 was rated low severity

The issues mainly affected browser components such as the JavaScript engine and memory management systems.

Anthropic said its AI model detected a use-after-free bug in the browser’s JavaScript engine after about 20 minutes of code exploration. A human researcher later verified the issue in a secure testing environment.

AI Scanned Thousands of Source Files

During the project, the company used its large language model Claude Opus 4.6 to analyze the Firefox codebase.

The AI system scanned nearly 6,000 C++ source files and generated 112 vulnerability reports.

Many of those reports helped researchers identify security flaws that developers later fixed in recent Firefox updates.

Anthropic noted that the high-severity bugs discovered during this test represent almost one-fifth of all high-severity vulnerabilities fixed in Firefox during 2025.

AI Can Find Bugs Faster Than It Can Exploit Them

Researchers also tested whether the AI could turn discovered vulnerabilities into working exploits.

The system attempted this task hundreds of times, using about $4,000 worth of API credits.

However, the AI managed to create a working exploit in only two cases.

This result highlights an important point: finding vulnerabilities is easier than building reliable exploits.

Example Vulnerability Discovered

One of the identified flaws, tracked as CVE‑2026‑2796, involves a just-in-time (JIT) miscompilation in the browser’s JavaScript WebAssembly component.

The vulnerability received a CVSS score of 9.8, which indicates a critical security risk if exploited.

Researchers tested the exploit in a controlled environment where certain security protections were disabled.

AI Becoming a New Tool for Security Researchers

The project also helped uncover 90 additional bugs in the Firefox codebase.

Many of these issues included assertion failures and logic errors that traditional fuzzing tools often miss.

Mozilla says the results demonstrate how AI-assisted code analysis can strengthen software security.

According to the organization, combining automated analysis with human expertise can significantly improve vulnerability detection in large software projects.

Why This Matters

Modern software projects contain millions of lines of code, making manual security reviews difficult.

AI tools can help security teams scan codebases quickly and identify hidden weaknesses before attackers exploit them.

While AI-generated exploits remain limited, the technology is already proving useful for early vulnerability detection and secure software development.