Anthropic's Mythos Finds 271 Firefox Security Bugs

The Attacker's Long-Standing Advantage Just Expired

For the better part of three decades, software security has had a fundamental asymmetry problem. An attacker needs to find one exploitable bug. A defender needs to find all of them. Human security researchers, however skilled, are rate-limited by time, attention, and the sheer density of modern codebases. Fuzzing tools — which bombard software with malformed inputs to trigger crashes — automate part of the process, but they're blind to logic vulnerabilities that require reasoning about program state. The result: most shipped software has an unknown tail of latent bugs that attackers, given enough time and motivation, will eventually find.

Firefox's codebase is approximately 20 million lines. Mozilla employs one of the best security teams in open-source software. And yet, when they gave an early version of Anthropic's Claude Mythos Preview access to an unreleased version of the browser, it returned 271 vulnerabilities in a single evaluation pass.

That number deserves unpacking before it becomes a headline statistic. These aren't theoretical issues or style violations. They're security-sensitive bugs — the kind that, in a hardened target like Firefox, would each have triggered a red-alert response in 2025. Firefox CTO Bobby Holley put it plainly in a statement this week: "For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it's even possible to keep up."

Claude Mythos Preview — Anthropic's restricted frontier AI model for cybersecurity research

What Mythos Preview Actually Is

Anthropic announced Claude Mythos Preview on April 7, 2026. Unlike Opus 4.6 or Sonnet 4.6, Mythos Preview is not publicly available — and that restriction is deliberate. The model represents what the company's red team describes as "a watershed moment for security," a general-purpose frontier model that happens to be exceptionally capable at one category of work: finding and exploiting software vulnerabilities.

The capability that makes Mythos different from earlier models isn't fuzzing or static analysis in the traditional sense. It performs what Anthropic calls "code reasoning analysis" — the model reasons through program logic, tracks data flows across files and function boundaries, and identifies the subtle invariants that, when violated, create exploitable conditions. This is the same skill that distinguishes an elite human security researcher from a tool that pattern-matches for known vulnerability classes. Elite researchers reason; most tools scan.

Anthropic's own red team benchmarks make the performance gap concrete. Against the Firefox JavaScript shell, Claude Opus 4.6 succeeded at exploit development twice from several hundred attempts. Mythos Preview developed 181 working exploits from equivalent testing. On a broader set of roughly 7,000 code repository entry points across multiple operating systems and browsers, Mythos achieved full control flow hijack on ten separate targets. Previous models reached only single tier-3 crashes on the same targets.

The findings extend well beyond Firefox. The model independently identified a 27-year-old vulnerability in OpenBSD's TCP SACK implementation — a signed integer overflow that had survived decades of expert auditing. It found a 16-year-old H.264 codec bug in FFmpeg, where slice numbering collided with sentinel values to produce out-of-bounds writes missed by extensive fuzzing campaigns. It developed a working remote code execution exploit against FreeBSD's NFS implementation using a 17-year-old stack buffer overflow, constructing a 20-gadget ROP chain split across multiple network packets.

These aren't classes of bugs that emerge from pattern matching. They require sustained multi-step reasoning over large codebases — the exact thing that language models, until very recently, were structurally incapable of.

The Mozilla Collaboration: From 22 to 271

The Mozilla story has a before-and-after that illustrates the capability jump sharply.

Earlier in 2026, Mozilla's security team worked with Claude Opus 4.6 to audit Firefox 148. The result: 22 security-sensitive bugs, which were patched before release. That was already meaningful. Most security audits of equivalent scope would be considered successful at far lower yield.

When Anthropic offered Mozilla early access to Mythos Preview to analyze Firefox 149's codebase — the pre-release code for what would become Firefox 150 — the yield was 271 vulnerabilities. More than twelve times as many, from what Holley described as a process that "required no human intervention to identify the bugs." Firefox 150 shipped this week with all 271 patched.

Holley's framing of what this represents is worth quoting directly: "We are entering a world where we can finally find them all." He continued: "So far we've found no category or complexity of vulnerability that humans can find that this model can't."

The methodology involved giving Mythos access to unreleased Firefox source code and letting the model conduct code reasoning analysis — the same workflow a human researcher would use, but compressed into a timeline no human team could match at that scale. Holley estimated that "using Mythos saved the company months of costly human effort to find a single bug."

Bobby Holley, speaking to Wired, issued a broader warning to the industry: AI-assisted vulnerability analysis is something every piece of software will now need to engage with. The bugs it finds are "buried underneath the surface" and are "now discoverable" in a way they weren't six months ago.

What Mythos Couldn't Do

The honest version of this story requires acknowledging what the capability assessment also found, because it shapes the actual security implications.

Mozilla and Anthropic were both careful to state that Mythos Preview has not surfaced any new classes of vulnerabilities. Everything it found is something an elite human researcher could, in principle, also find. The model's advantage is in scale, speed, and cost per finding — not in discovering fundamentally new attack primitives.

Holley's exact language: "We also haven't seen any bugs that couldn't have been found by an elite human researcher."

This matters for two reasons. First, it sets an honest ceiling on current claims. Second, it's actually the more strategically significant finding for defenders. If Mythos can find at researcher-quality yield at machine scale, the question of whether the bugs are novel is less relevant than the question of whether defenders can now reach them before attackers do.

There's a darker statistic in Anthropic's own red team report: over 99% of vulnerabilities the model identified across all its testing targets remain unpatched. The company is coordinating disclosure, but the sheer volume overwhelms existing patch pipelines. This isn't a failure of Mythos — it's a systems problem that the security industry will need to solve as AI-assisted discovery scales.

Why It's Not Public: Project Glasswing and the Dual-Use Problem

Anthropic made a deliberate choice not to deploy Mythos Preview through Claude.ai or the API. The model's offensive capability — the same capability that makes it valuable for defense — would, in the wrong hands, compress the timeline for finding and exploiting vulnerabilities in critical infrastructure from months to hours.

The company's response is Project Glasswing: a selective access program that grants early access to more than 40 major technology, cybersecurity, and financial organizations. Amazon, Apple, and Microsoft are among the participants. The intent is to use the transition window — before comparable models are broadly available — to shore up defenses in critical software before capabilities diffuse.

Mozilla's access came through direct collaboration with Anthropic, separate from the formal Project Glasswing consortium, reflecting the organization's unique position as a steward of a widely deployed open-source browser.

The approach is not without friction. On the same day Project Glasswing was announced, Anthropic began investigating reports of unauthorized access to Mythos Preview — suggesting that capability restrictions, however deliberate, face pressure from actors who would prefer to acquire the model through other means. CISA, the US government's primary cybersecurity agency, is notably absent from the Glasswing access list as of this writing.

The dual-use tension isn't resolvable through access restrictions alone. Anthropic's red team report acknowledges that "most security tooling has historically benefitted defenders more than attackers," and expresses cautious optimism that language models will follow the same pattern — but names the transitional period explicitly as "tumultuous." The 271-bug finding is a data point in the optimistic direction. The unauthorized access reports are a data point in the other.

What Security Teams Should Do Right Now

Bobby Holley's message to the industry isn't triumphalist. It's a directive: "This type of AI-assisted vulnerability analysis is something every software company will need to integrate into its workflow." The 271-bug finding isn't an anomaly specific to Firefox's codebase. It's a demonstration of what AI-assisted auditing now looks like at scale, and it will generalize.

Anthropic's own recommendation in the red team report: "Use generally-available frontier models to strengthen defenses now, and begin preparing defensive infrastructure for accelerated vulnerability discovery cycles." Even without access to Mythos Preview, models like Claude Opus 4.6 found 22 bugs in a single Firefox audit. That's not a proof of concept — it's a production workflow. Security teams that aren't running code reasoning analysis against their own codebases are ceding ground.

The analogy Holley's team used internally is apt: closing the gap between machine-discoverable and human-discoverable bugs "erodes the attacker's long-term advantage by making all discoveries cheap." When defenders can find bugs as fast as attackers, the asymmetry that has defined software security for thirty years starts to break.

The 271 number is arresting. The more important number is the one in the gap that's been closing since fuzzing was invented, and that Mythos, for the first time, suggests defenders might actually close.

References

Disclaimer: This blog post was researched, written, and published with the assistance of AI. The content reflects general information on the topic and does not represent the personal opinions, beliefs, professional advice, or endorsements of Bhavik Mehta. Nothing in this post should be construed as legal, financial, technical, or professional advice. Readers should independently verify any information before acting on it.