Spoiler, it’s not hardening in the traditional sense, it is Claude models finding vulnerabilities and bugs in Firefox.
A few weeks ago, Anthropic’s Frontier Red Team approached us with results from a new AI-assisted vulnerability-detection method that surfaced more than a dozen verifiable security bugs, with reproducible tests
AI-assisted bug reports have a mixed track record, and skepticism is earned. Too many submissions have meant false positives and an extra burden for open source projects
What we received from the Frontier Red Team at Anthropic was different.
Anthropic’s team got in touch with Firefox engineers after using Claude to identify security bugs in our JavaScript engine. Critically, their bug reports included minimal test cases that allowed our security team to quickly verify and reproduce each issue.
Of the 28 CVEs ranked “high severity” (31 if you count the last three):
(out of bounds) CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component
(uninitialized memory) CVE-2026-2794: Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android
(use after free) CVE-2026-2758: Use-after-free in the JavaScript: GC component
(out of bounds) CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component
(use after free) CVE-2026-2795: Use-after-free in the JavaScript: GC component
(use after free) CVE-2026-2763: Use-after-free in the JavaScript Engine component
(use after free) CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component
(use after free) CVE-2026-2797: Use-after-free in the JavaScript: GC component
(use after free) CVE-2026-2765: Use-after-free in the JavaScript Engine component
(use after free) CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
(use after free) CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
(use after free) CVE-2026-2798: Use-after-free in the DOM: Core & HTML component
(use after free) CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
(use after free) CVE-2026-2799: Use-after-free in the DOM: Core & HTML component
(use after free) CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
(“undefined behavior”) CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component
(use after free) CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
(out of bounds) CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
(out of bounds) CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component
And the bonus three:
CVE-2026-2807: Memory safety bugs fixed in Firefox 148 and Thunderbird 148
CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
Which makes 19/28 (or 22/31 if you count the bonus three) high severity CVEs fixed in Firefox 148 “things (safe) Rust probably would have prevented”. I can’t say it definitely would, since the bugzilla pages for the CVEs still seem to be restricted, but I’d say the odds are good.
There were also a few in the “moderate” and “low” categories.
I don’t think it will. I think it just moves the baseline of minimum security scanning a notch. Like scanning for vulnerable dependencies is now a standard, scanning for vulnerabilities with AI will be the new default.
It is a shame they mothballed Servo. Mozilla is chasing after a million gimmicks at once instead of modernising their aging browser engine and more importantly dated Android app.