What Happened
Anthropic published a detailed write-up of CVE-2026-2796, a JIT miscompilation bug in Firefox's WebAssembly component that Claude Opus 4.6 both discovered and exploited during a two-week security audit of the Firefox codebase.
The vulnerability sits in Firefox's SpiderMonkey engine, specifically in how it handles Function.prototype.call.bind() wrappers used as WebAssembly imports. The optimization path in MaybeOptimizeFunctionCallBind() unwraps these wrappers without verifying type signatures match, creating a type-confusion primitive. From there, Claude built a full exploit chain: mismatched WebAssembly modules, type-confused function pointers, arbitrary memory read/write via a fake ArrayBuffer, and ultimately code execution in the JS engine.
The numbers are worth noting. The two-week audit found 22 total vulnerabilities. The working exploit for CVE-2026-2796 succeeded roughly 2 times out of about 350 attempts. Mozilla has already patched the issue by adding proper type signature validation to the optimization path.
Important caveat: the testing environment had browser sandbox protections removed. This was not a full chain exploit that would escape a real browser sandbox.
Why It Matters
This is the first well-documented case of a frontier AI model independently discovering a real zero-day vulnerability in production software and building a working exploit for it. That is a significant capability threshold.
For security teams, this changes the calculus on both offense and defense. Automated vulnerability discovery at this level means:
- Defenders can potentially audit codebases at a scale and speed that was previously impractical. A two-week audit finding 22 bugs is substantial output.
- Attackers - or at least the models they might use - are approaching the ability to find exploitable bugs without human guidance.
The 2-out-of-350 success rate on the exploit is low, but it is not zero. And model capabilities only go in one direction.
Our Take
This is one of the most significant AI capability demonstrations of 2026 so far. Not because the vulnerability itself is unusual - JIT bugs in browser engines are a known class - but because of what it says about where these models are heading.
Anthropic deserves credit for publishing this openly rather than quietly patching and moving on. The write-up from their red team blog is technically detailed and honest about limitations (sandbox removed, low success rate, not a full chain). That kind of transparency is exactly what the AI safety conversation needs.
The practical implication for anyone using Claude or similar models: these tools are becoming genuinely useful for security auditing work. Not "AI will replace security researchers" useful, but "AI can be a serious force multiplier for finding bugs in large codebases" useful. If you are running a security team and not experimenting with LLM-assisted code auditing, this paper should change your mind.
The dual-use concern is real but hard to avoid. The same capability that helps defenders find bugs faster also helps attackers. Anthropic's approach of publishing methodology while working with Mozilla on the fix before disclosure follows responsible disclosure norms, but the broader question of how to handle AI-discovered zero-days is going to need industry-wide answers.