Firefox finds 20 year old bug and patches 14 months of fixes in 30 days using Anthropic’s Mythos AI

A notable development has hit the crypto markets. Mozilla’s latest Firefox security update provides a rare glimpse into what happens when frontier AI capabilities reach defenders before attackers. The company said it fixed 423 Firefox security bugs in April after gaining access to Claude Mythos Preview, compared with roughly 420 fixes over the previous 14 months. That compression is the signal.

The defensive side did in one month what had previously taken more than a year, then disclosed a sample of the bugs to show the depth of latent risk still present inside a mature, heavily tested browser codebase. The strongest anchor is age. One of the disclosed bugs, Bug 2025977, was a 20-year-old XSLT reentrancy issue in which key() calls could trigger a hash table rehash, free backing storage, and leave a raw entry pointer in use.

Market Dynamics

Another, Bug 2024437, involved a 15-year-old flaw in the HTML element. These are exactly the kinds of long-buried defects that can survive ordinary testing, fuzzing, and manual review because they sit inside obscure edge cases, older subsystems, or complex interactions across distant parts of the browser. Mozilla said Claude Mythos Preview helped identify and fix 271 bugs in the Firefox 150 release, with additional fixes shipped in 149.

Of those 271 Firefox 150 bugs, 180 were rated sec-high, 80 were sec-moderate, and 11 were sec-low. A graph showing the volume of Firefox security bug fixes shipped by month, trending in the 20-30 range throughout each month in 2025, with a spike to 60-70 in February and March 2026, up to 423 in April 2026 Mozilla’s security severity framework assigns sec-high to vulnerabilities that can be triggered by normal user behavior, such as visiting a web page. That places the findings in a serious operational category, even where Mozilla had built no full proof of real-world weaponization.

The 20-year bug shows how long exploitable-looking flaws can survive Firefox is an old, high-value, heavily scrutinized browser. Its code has been tested by internal teams, external researchers, fuzzers, bug bounty hunters, and attackers for years. That makes the April surge more important because the vulnerabilities surfaced inside a project with mature security engineering rather than inside a lightly reviewed codebase.

Market Impact

Mozilla said AI-generated security reports to open-source projects had previously carried a high noise burden for maintainers. Reports could look plausible while still being wrong, and the asymmetry was obvious: generating claims was cheap, while validating them consumed experienced engineering time. The dynamic shifted as models improved and Mozilla built a harness around them.

The company described a pipeline that could steer models toward specific code areas, generate reproducible test cases, filter noise, deduplicate findings, triage severity, and move confirmed bugs into the security lifecycle. That surrounding system is central to the result. The model provided discovery power, while the harness turned that power into confirmed reports and patches.

The disclosed sample in Mozilla’s technical write-up included a WebAssembly GC bug that could create a fake-object primitive with potential arbitrary read or write, IPC race conditions affecting parent-process reference counts, raw NaN deserialization across an IPC boundary, parent-process stack memory leakage during DNS parsing, use-after-free flaws, and sandbox escape candidates. These are security primitives that attackers value because they can become parts of exploit chains. A memory corruption bug can become a foothold.

Crypto markets are watching this development closely as investors weigh its potential impact on prices.