Firefox taps Anthropic AI bug hunter, but rancid RAM still flipping bits
Thanks to Anthropic's AI and its bug-detecting abilities, Firefox users can now enjoy stronger security. Unfortunately, if browser crashes rather than security flaws are the problem, Claude probably can't help.
Mozilla engineer Gabriele Svelto said in a recent Mastodon post that he believes that about 10 percent of Firefox browser crashes can be attributed to bit flips – unintentional changes in memory – rather than software errors.
Bit flips can be caused by a variety of things, such as cosmic rays and Rowhammer attacks. But often the explanation is more mundane – flawed electronic components.
"Today I was looking at the data that comes out of these tests and now I'm 100 percent positive that … a lot of the crashes we see are from users with bad memory or similarly flaky hardware," he said.
Svelto said that, in the last week, Mozilla received about 470,000 crash reports from Firefox users, which just covers those who opted in to crash reporting. About 25,000, he said, look to be potential bit flips.
"That's one crash every twenty potentially caused by bad/flaky memory, it's huge!" he said. "And because it's a conservative heuristic we're underestimating the real number, it's probably going to be at least twice as much."
And, he said, if he subtracts crashes caused by resource exhaustion, like running out of memory, the proportion of crashes attributable to hardware goes up to about 15 percent.
Svelto said that, while his research focuses mainly on computers and phones, these issues are present in every device, such as routers and printers.
This is not the first time people have been taken aback by hardware error rates. Google researchers looked at DRAM errors in its data centers back in 2009 and were surprised to find that DRAM error rates "are orders of magnitude higher than previously reported, with 25,000 to 70,000 errors per billion device hours per Mbit and more than 8 percent of DIMMs affected by errors per year."
Bit flips are beyond Mozilla's control, but the biz has been able to shore up its software with the help of Anthropic's red team.
Several weeks ago, said Mozilla engineers Brian Grinstead and Christian Holler in a blog post, Anthropic approached the Firefox team with a new AI-based vulnerability detection system.
They said that they'd had mixed results with prior AI-assisted bug detection systems, but this one was different.
"Within hours, our platform engineers began landing fixes, and we kicked off a tight collaboration with Anthropic to apply the same technique across the rest of the browser codebase," they said. "In total, we discovered 14 high-severity bugs and issued 22 CVEs as a result of this work. All of these bugs are now fixed in the latest version of the browser."
Anthropic says it managed this feat using its recent Claude Opus 4.6 model and even got its AI model to generate a working exploit for one of the now patched vulnerabilities (CVE-2026-2796).
"To be clear, the exploit that Claude wrote only works within a testing environment that intentionally removes some of the security features of modern web browsers," explained security researchers Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, and Daniel Freeman in a blog post. "Claude isn't yet writing 'full-chain' exploits that combine multiple vulnerabilities to escape the browser sandbox, which are what would cause real harm."
But that moment may not be far off.
"[L]ooking at the rate of progress, it is unlikely that the gap between frontier models' vulnerability discovery and exploitation abilities will last very long," said Anthropic. "If and when future language models break through this exploitation barrier, we will need to consider additional safeguards or other actions to prevent our models from being misused by malicious actors." ®
