Tech

How Claude Mythos Preview Found 271 Hidden Bugs in Firefox—And Why That's Actually Good News

May 27th 2026

AI-generated, human-reviewed.

AI-powered vulnerability discovery is uncovering decades of hidden security debt in critical software—and the industry's response will define cybersecurity for years to come.

On Security Now episode 1080, Steve Gibson and Leo Laporte delivered a detailed analysis of what happens when frontier AI models are pointed at production codebases. The results, drawn from Mozilla's published account of working with Anthropic and from Cisco's internal threat modeling, suggest that software security is entering a fundamentally new phase—one that is disorienting in the short term but potentially decisive for defenders in the long run.

 

What Mozilla Found When It Ran Claude Mythos Preview on Firefox

The most concrete data point in this episode comes from Mozilla. Since February, the Firefox team has been working with Anthropic to apply frontier AI models to their codebase. An earlier collaboration using Claude Opus 4.6 surfaced 22 security-sensitive bugs, which were resolved in Firefox 148.

The follow-up was dramatically more consequential. When Mozilla applied an early version of Claude Mythos Preview—Anthropic's unreleased frontier model—to Firefox, it uncovered 271 previously unknown vulnerabilities. Those fixes shipped in Firefox 150.

To put that in context: Firefox is one of the most security-hardened, heavily scrutinized codebases in existence. Mozilla employs dedicated red teams. They lead the industry in Rust adoption. They use defense-in-depth sandboxing. And yet Mythos Preview surfaced hundreds of latent flaws that years of fuzzing, code review, and manual analysis had missed entirely.

Mozilla's own post-mortem was candid: the team had to reprioritize nearly everything else to address the findings. As Gibson noted on the show, they described the experience as inducing "vertigo"—but ultimately described their outlook as hopeful. Defenders, Mozilla concluded, now have a genuine chance to win.

 

Why Cisco Is Sounding the Alarm About What Comes Next

Mozilla's experience is not unique. Cisco was among the select organizations given early access to Claude Mythos Preview as part of Anthropic's Project Glasswing—a controlled effort to allow trusted partners to find and patch vulnerabilities before any public release.

Cisco's security blog, citing their internal experience with the model, raised pointed questions about whether the industry's infrastructure for managing vulnerabilities can survive what's coming. The concern centers on patch deployment latency: the gap between when a vulnerability is discovered and when it's actually fixed across a user base.

Cisco's researchers pointed out that the median enterprise patch deployment time is approximately 20 days. In March 2026, a critical vulnerability in Langflow was actively exploited within 20 hours of its advisory—with no public proof-of-concept code available. Attackers built working exploits directly from the description. Gibson highlighted this on the show: twenty days to patch, twenty hours to exploit. That gap already exists. AI-scale discovery doesn't create the problem; it accelerates it.

Cisco also challenged the viability of the CVE system in an era of machine-speed discovery. The Common Vulnerabilities and Exposures program turns 27 this year. It was designed for an era when the security community tracked hundreds of vulnerabilities annually—321 CVEs were issued in all of 1999. By 2023, that number had climbed to nearly 29,000. A 2026 forecast projected roughly 59,000 CVEs this year—before Project Glasswing was announced. Cisco's researchers argue that a system built for human-speed discovery, human-speed enrichment, and human-speed consumption cannot handle what AI-scale auditing is about to produce.

 

Gibson's Counterargument: This Is Debt Repayment, Not Collapse

Steve Gibson pushed back on the more alarming framing—and it's worth understanding why.

The title of episode 1080 is "Vulnerability Debt Repayment," and that phrase carries the weight of Gibson's thesis. His argument: what we're witnessing isn't a permanent escalation in vulnerability volume. It's a one-time reckoning with accumulated technical debt—flaws that have existed, undiscovered, across decades of code.

When Claude Mythos Preview scanned Firefox and found 271 vulnerabilities, those weren't new vulnerabilities. They were old ones that had been invisible. Once found and fixed, they're gone. The next scan of the same codebase won't produce 271 findings—it will produce far fewer, and eventually close to none, assuming ongoing AI-assisted code review catches mistakes before they ship.

Gibson's optimistic scenario: once the backlog is cleared, AI vulnerability discovery becomes a continuous quality gate rather than a crisis trigger. Code gets checked before release. The class of exploitable bugs that has defined software security for decades gradually disappears.

Mozilla's own statement supports this framing. They described the attack surface as "not infinite" and their conclusion was direct: "Defects are finite, and we are entering a world where we can finally find them all."

Gibson did acknowledge the legitimate concern that Cisco and others are raising about the transition period—particularly for organizations with massive, aging codebases and no effective auto-update infrastructure. The path from here to the stable equilibrium he describes runs through a turbulent stretch.

 

The Real Bottleneck: Patch Deployment, Not Discovery

One of the episode's clearest takeaways is that vulnerability discovery is no longer the hard part. The bottleneck has shifted entirely to deployment.

A handful of software suppliers—Microsoft, Apple, Google, and the major browsers—have the infrastructure to push updates autonomously and at scale. These organizations are positioned to absorb the coming wave of AI-generated patches without their users noticing much disruption.

The rest of the industry is not. Network appliances, enterprise software, legacy infrastructure, and anything operating under a "if it's not broken, don't fix it" philosophy face a much harder transition. Gibson was direct: organizations that cannot deploy patches at machine speed will be exposed during the window between AI-assisted discovery and AI-assisted exploitation.

The practical guidance from this episode is straightforward:

  • Enable auto-updates wherever possible, especially on internet-facing devices and browsers. Organizations that make it difficult not to stay current will benefit most from what's coming.
  • Know your software inventory. The ability to answer "does this vulnerability affect us?" at machine speed requires knowing what software you run, where it runs, and how it was built. Software Bills of Materials (SBOMs) shift from compliance checkbox to operational necessity.
  • Invest in autonomous patching infrastructure. Automated testing, staged rollouts, and rollback capability aren't optional improvements—they're the baseline for operating in an environment where discovery and exploitation both happen faster than human patch cycles can accommodate.

 

Key Takeaways

  • Claude Mythos Preview is not a public product—it's an unreleased Anthropic model made available to select partners under Project Glasswing for controlled vulnerability research.
  • Mozilla's Firefox team used it to find 271 previously unknown vulnerabilities, on top of 22 found earlier with Claude Opus 4.6. Both sets of fixes have shipped.
  • Cisco's internal experience with Mythos Preview has changed their threat modeling for AI-enabled attackers. Their security researchers have argued publicly that the CVE system needs a structural overhaul.
  • Gibson's central argument: this is a debt repayment event, not a new normal. Once legacy security debt is cleared, AI-assisted review should prevent most vulnerabilities from ever shipping.
  • The transition period is the danger zone. Organizations without effective auto-update infrastructure face the greatest exposure.
  • Mozilla's summary: "So far we have found no category or complexity of vulnerability that humans can find that this model cannot."

 

The Bottom Line

Security Now's read on this moment is fundamentally optimistic, if clear-eyed about the disruption ahead. The same technology that is revealing the scale of decades-old software security debt is also, for the first time, giving defenders a credible path to eliminating that debt entirely. The question isn't whether AI changes software security—it already has. The question is whether your organization's patching infrastructure is ready for a world where discovery and exploitation both happen at machine speed.

Subscribe to Security Now for weekly in-depth security analysis: https://twit.tv/shows/security-now/episodes/1080

Firefox’s AI Awakening – 271 Bugs Found and Fixed in a Single Sweep Security Now #1080
May 26 2026 - Vulnerability Debt Repayment
Will Mythos Change Cybersecurity F…
All Tech posts