Anthropic's Claude Helps Firefox Uncover Dozens of New Bugs in Latest Scan

Mozilla’s security team says the partnership with Anthropic’s Claude Opus 4.6 has already yielded concrete results. In a blog post, engineers Brian Grinstead and Christian Holler explained that Anthropic approached Firefox with an AI‑driven vulnerability scanner that “within hours… began landing fixes” and that the collaboration uncovered 14 high‑severity bugs, leading to 22 CVEs that are now patched in the latest release (The Register). One of those CVEs, CVE‑2026‑2796, even had a working exploit generated by Claude, though the exploit only runs in a deliberately weakened test environment, according to the same source.

The bulk of the bugs were found in the browser’s core rendering and networking modules, where Claude’s model was able to propose concrete code changes that engineers could merge after brief review. The speed of the process—“hours” rather than weeks—has been highlighted as a key advantage over previous AI‑assisted tools that Mozilla tried, which “had mixed results” (The Register). The rapid turnaround allowed Mozilla to ship the fixes in a single update, reinforcing the browser’s security posture ahead of the upcoming release cycle.

While the AI‑driven fixes improve the software layer, Mozilla’s crash telemetry paints a different picture for overall stability. Engineer Gabriele Svelto disclosed on Mastodon that roughly 10 % of Firefox crashes are attributable to random RAM bit‑flips—spontaneous changes in memory caused by cosmic rays, Rowhammer attacks, or defective components (The Register). In the last week alone, Mozilla logged about 470,000 crash reports from users who opted into telemetry; of those, approximately 25,000 appear to be linked to potential bit‑flips, a rate of one crash per twenty incidents. Svelto cautioned that this figure is a conservative estimate and likely undercounts the true incidence, suggesting the real proportion could be double that, or around 20 % when resource‑exhaustion crashes are excluded.

The hardware‑induced crash problem is not new. Google’s 2009 study of DRAM errors in its data centers found error rates “orders of magnitude higher than previously reported,” with 8 % of DIMMs experiencing failures each year (The Register). Mozilla’s findings echo those earlier concerns, extending them beyond servers to consumer devices such as laptops, phones, routers, and printers. Svelto emphasized that “bad memory or similarly flaky hardware” is now a major factor in user‑experience degradation, a reality that no software patch—AI‑generated or otherwise—can fully remediate.

Anthropic’s involvement underscores a broader trend of AI being deployed as a defensive tool in the software supply chain. The company’s Claude model not only identified vulnerabilities but also produced a proof‑of‑concept exploit, demonstrating the dual‑use nature of advanced language models. As Reuters reported, Anthropic is simultaneously navigating political scrutiny, with the U.S. administration directing federal agencies to cease using its technology (Reuters). Nonetheless, the Firefox collaboration shows a practical, immediate benefit: AI can accelerate the discovery and remediation of security flaws that would otherwise linger for months.

In sum, Claude’s contribution has fortified Firefox’s codebase, delivering 14 high‑severity patches in a matter of days, while the lingering issue of hardware‑induced crashes remains a stubborn, external variable. Mozilla’s data suggest that even a perfect AI‑driven bug‑hunter cannot compensate for faulty silicon, highlighting the need for both software‑level vigilance and higher‑quality hardware components to achieve truly reliable browsing experiences.