The IA that discovered critical bugs in Firefox and pushed patches in two weeks

The collaboration between artificial intelligence companies and software security equipment is moving from theory to practice, and the pulse between benefit and risk has never been so visible. In recent weeks, Anthropic has made public the result of a joint work with Mozilla: his language model, Claude Opus 4.6, helped identify dozens of failures in the Firefox browser, many of them of high gravity, that have already started to be corrected in the update Firefox 148.

According to Anthropic's official note, the automated and human-assisted review detected 22 new vulnerabilities, of which 14 were rated as high severity, seven as moderate and one as low. The finding occurred within a period of just two weeks in January 2026, and is part of a greater effort in which the team combined automatic exploration with manual verification and a safe environment to reproduce the reported errors. The release is available on the Anthropic page on collaboration with Mozilla at your website.

The most striking is not only the number, but the speed and scale of the process: Anthropic claims that his system scanned about 6,000 files in C + + and submitted 112 unique reports to Mozilla. Among the problems identified are typical examples of software engineering that required priority attention, such as user-end-free errors in JavaScript components, a failure that can allow released memory to be reused unsafely and cause unpredictable behavior.

One detail that illustrates the efficiency of the approach is that the model located one of those failures in the JavaScript engine after only twenty minutes of automated exploration; then, a human researcher replicated and validated the problem in a virtual machine to ensure that it was not a false positive. This combination of automatic detection and expert confirmation is precisely the recipe for integrating IA tools into security processes without giving up human prudence.

But not everything is applause: Anthropic also tested whether his model was able to turn those failures into practical exploits. This experiment was dedicated to several hundred attempts and about $4,000 in API credits. The result shows an important distinction between finding and taking advantage of a vulnerability: in only two cases the system managed to develop a functional explosion in the test conditions. One of these exploits corresponds to the CVE-2026-2796, a critical problem (with a very high CVSS score) related to the JIT compilation in the JavaScript WebAssembly component, and can be found in the NIST vulnerability database in NVD.

It is important to highlight how the test laboratory was set up: Anthropic admits that, to facilitate experimentation, some safety layers - such as sandboxing - were deactivated in the environment where the exploits were tried. This factor reduces the meaning of any success within these tests, because vulnerabilities that are exploitable in a degraded environment may not be in the standard configuration of a modern browser; yet the fact that a model is able to generate operating code under controlled conditions raises legitimate questions about the ease with which automated tools make dangerous technical progress.

In addition to seeking and, in some cases, exploiting failures, Anthropic tried another way: feeding the model with vulnerability reports and asking him to write plausible patches or corrections. That line of work is in line with his most recent announcement about Claude Code Security, an initiative to use automated agents that propose arrangements and verify whether the corrections solve the problem without breaking existing functionalities. The company recognizes, with technical honesty, that not all patches generated by agents can be integrated as in a production code base, but verification systems increase confidence that the solution at least mitigates the specific defect.

Mozilla, for its part, has contextualized the findings as a demonstration of the added value these techniques provide. In their coordinated entry they explain that the analysis assisted by IA detected an additional 90 incidents, many of them already corrected, ranging from failed assertions - problems that also often appear with fuzzing techniques - to errors of logic that conventional fuzzers had not captured. On your official blog Mozilla describes how the combination of rigorous engineering and new analysis tools allows for continuous improvement of safety.

What practical lessons are derived from all this? First, that IA is a powerful tool to expand the scope of code analysis: they detect high-speed patterns and limit cases, but they often need human monitoring to validate, prioritize and correct the findings. Second, that identifying a vulnerability and building a useful explosion are tasks of different complexity; for now, according to Anthropic's own experiments, the automatic generation of exploits is more expensive and less reliable than the detection of failures. And third, the way test environments are set up matters: reducing safety barriers can accelerate research, but it also gives a biased picture of real-world exploitability.

In the public and technical debate that opens up such initiatives there is room for both optimism and caution. The responsible use of safety IA models involves clear disclosure agreements, controlled environments, expert verification and close coordination with the affected software maintainers. Mozilla and Anthropic have followed that path by working in a coordinated way and facilitating patches, and the process has ended with the publication of corrections in the latest version of the browser and with official notices on vulnerabilities, collected by Mozilla's security notes on your safety notice.

The final lesson for users and security officials is clear: IA tools expand the defence repertoire, but do not replace the need for good practices, human reviews and constant updates. Keeping the browser up-to-date remains the first line of defense, while the teams behind critical projects explore how to integrate automated models without opening new risk windows.

If you want to go into the technical details and the operating reports that Anthropic published, your report on the experiment is available in your technical space. Anthropic Network, and the release notes of Firefox 148 are on the official browser page.