When AI Becomes a Security Tool: Claude Opus 4.6 Finds 22 Firefox Bugs

In a remarkable demonstration of AI's practical applications beyond chatbots, Anthropic's Claude Opus 4.6 language model has identified 22 previously unknown security vulnerabilities in Firefox. The discovery, announced in a security partnership with Mozilla, shows that agentic AI isn't just theoretical—it's shipping real results.

The Numbers

• 22 total vulnerabilities discovered
• 14 classified as high-severity — almost a fifth of all high-severity Firefox bugs patched in 2025
• 7 moderate-severity bugs
• 1 low-severity issue
• Fixed in Firefox 148, released last month

The vulnerabilities were identified over just two weeks in January 2026, and the sheer breadth of the findings—nearly 6,000 C++ files scanned—hints at the scale of the work Claude handled.

A Use-After-Free Bug in 20 Minutes

What's most striking: Claude detected a critical use-after-free vulnerability in Firefox's JavaScript engine after just 20 minutes of exploration. A human researcher then validated it in a virtualized environment to rule out false positives.

This is the kind of work that traditionally required experienced security researchers spending weeks. Claude did it faster and systematically.

The Limitations

Claude Opus 4.6 wasn't a perfect exploit generator—in fact, it struggled to weaponize the vulnerabilities. Despite hundreds of attempts and $4,000 in API credits, Claude was able to turn a known vulnerability into a working exploit in only two cases.

But that's actually reassuring. It suggests that while AI can find the bugs, turning them into practical attacks remains difficult—a margin of safety in the asymmetric AI security game.

Source: The Hacker News / Anthropic