Claude Code Found a Linux Vulnerability Hidden for 23 Years
TL;DR Highlight
Anthropic researcher Nicholas Carlini discovered multiple security vulnerabilities in the Linux kernel using Claude Code, including a remotely exploitable heap buffer overflow that had remained undetected for 23 years. This demonstrates AI's potential to fundamentally change the way security research is conducted.
Who Should Read
Security researchers or backend developers interested in vulnerability analysis or code auditing. Specifically, those who want to detect vulnerabilities in large open-source codebases using automated methods.
Core Mechanics
- Anthropic research scientist Nicholas Carlini announced at the [un]prompted 2026 AI Security Conference that he discovered several remotely exploitable heap buffer overflow vulnerabilities (a vulnerability that allows writing data beyond the allocated memory boundary) in the Linux kernel using Claude Code.
- Carlini stated that he had never discovered such vulnerabilities directly before. Remotely exploitable heap buffer overflows are a very difficult type of bug to find, even in the industry, and he discovered multiple using Claude Code.
- The detection method is surprisingly simple. He used a single shell script to instruct Claude Code to 'find vulnerabilities as if participating in a CTF (Capture The Flag, a security competition)' on the Linux kernel source code, without any elaborate setup.
- The script used the `find` command to iterate through all source files in the Linux kernel, focusing the analysis on each file one by one for Claude. This prevents duplicate discovery of the same vulnerability while covering the entire kernel.
- One of the vulnerabilities discovered was found in the Linux NFS (Network File Share, a protocol for sharing files over a network) driver. This bug allows an attacker to remotely read kernel memory over the network.
- The principle of the vulnerability is as follows: Client A locks a file on the NFS server with a 1024-byte owner ID, and when Client B requests a lock on the same file, the server generates a lock rejection response. This response includes Client A's owner ID (up to 1024 bytes), but the server attempts to write this response to a buffer of only 112 bytes, overwriting 1056 bytes.
- This bug had been present in the Linux kernel since its initial introduction in 2002 and remained undetected for 23 years. The fact that it requires understanding the complex state flow of the NFS protocol, rather than simple pattern matching, highlights Claude Code's deep understanding capabilities.
Evidence
- "There was a comment stating, \"You can just paste the code and ask 'What did I miss? Where are the bugs?'\" Positive experiences were shared about AI quickly identifying analyses that previously took hours, such as threading or distributed systems bugs, and predictions were made that many cryptocurrency implementations are now being reviewed by AI. One comment pointed out that this vulnerability was not so much 'hidden' as 'nobody bothered to look for it.' It was a bug that could have been prevented by always checking the valid range when handling variable-length data, and some static analysis tools might have also detected it. Several comments mentioned applying this method to multiple production codebases, with results including many duplicates, false positives, and bugs that were not actually exploitable, but also the discovery of actual critical vulnerabilities. There were also skeptical views on the quality of Claude Code itself, with one comment stating, \"It has a lot of hallucinations and generates code that wouldn't have passed code review six months ago.\" There was honest concern about whether AI is being overhyped or if they are using it incorrectly. GitHub Security Lab also commented that they are working on a similar AI security agent, sharing a stream of 23 vulnerabilities discovered in 2025 and releasing a Taskflow harness for direct execution."
How to Apply
- If you are a development team that needs to perform security audits periodically, you can try attaching an automated pipeline to your CI/CD that iterates through source files using a script like the one above and asks Claude Code to review each file in CTF format. Even with many false positives, it's better than missing actual critical vulnerabilities.
- Before code review when developing new features, pasting the written code into Claude Code and asking 'What did I miss? Are there any bugs or security vulnerabilities?' can help catch easily overlooked issues like buffer size mismatches or race conditions.
- If you are using open-source libraries or protocol implementations, you can give the source files to Claude Code and ask it to 'find vulnerabilities that could occur in the edge cases (extreme input conditions) of this protocol' to get hints about deep protocol-level bugs like the NFS case.
- You must always filter the number of vulnerabilities found. There are many false positives and cases that are not actually exploitable, so it is realistic to use Claude Code's results as a first-screening tool and design a two-stage process where humans verify the results.
Code Example
snippet
# Script to iterate through all source files in the Linux kernel and request vulnerability detection from Claude Code.
# (Similar to the method used by Nicholas Carlini)
find . -type f -print0 | while IFS= read -r -d '' file; do
claude \
--verbose \
--dangerously-skip-permissions \
--print "You are playing in a CTF. \
Find a vulnerability. \
hint: look at $file \
Write the most serious \
one to /out/report.txt."
doneTerminology
heap buffer overflowA vulnerability where a program writes data beyond the allocated memory space (buffer), overwriting adjacent memory. If an attacker can control the overwritten data, it can lead to malicious code execution or memory information leakage.
NFSAbbreviation for Network File System. A protocol that allows remote server file systems to be used as if they were local disks over a network. Widely used in Linux servers.
CTFAbbreviation for Capture The Flag. A security training method where security experts compete to find hidden 'flags' in intentionally vulnerable systems. When given this context to AI, it understands it as a 'find vulnerability' task and operates in security analysis mode.
Remote ExploitAn attack where an attacker can exploit a vulnerability solely through a network without physical access. This is classified as the most dangerous type of attack because it does not require direct access to the victim system.
Static AnalysisA method of finding potential bugs or vulnerabilities by analyzing the source code itself without actually executing the code. Tools like Coverity and CodeQL are representative and are integrated into the build pipeline.
owner IDA byte string used to identify the client requesting a file lock in the NFS protocol. It allows up to 1024 bytes, and the server's failure to handle this maximum value correctly was the core of this vulnerability.
Related Papers
Show HN: adamsreview – better multi-agent PR reviews for Claude Code
Claude Code에서 최대 7개의 병렬 서브 에이전트가 각각 다른 관점으로 PR을 리뷰하고, 자동 수정까지 해주는 오픈소스 플러그인이다. 기존 /review나 CodeRabbit보다 실제 버그를 더 많이 잡는다고 주장하지만 커뮤니티에서는 복잡도와 실효성에 대한 회의론도 나왔다.
How Fast Does Claude, Acting as a User Space IP Stack, Respond to Pings?
Claude Code에게 IP 패킷을 직접 파싱하고 ICMP echo reply를 구성하도록 시켜서 실제로 ping에 응답하게 만든 실험으로, 'Markdown이 곧 코드이고 LLM이 프로세서'라는 아이디어를 네트워크 스택 수준까지 밀어붙인 재미있는 사례다.
Show HN: Git for AI Agents
AI 코딩 에이전트(Claude Code 등)가 수행한 모든 툴 호출을 자동으로 추적하고, 어떤 프롬프트가 어느 코드 줄을 작성했는지 blame까지 가능한 버전 관리 도구다.
Principles for agent-native CLIs
AI 에이전트가 CLI 도구를 더 잘 사용할 수 있도록 설계하는 원칙들을 정리한 글로, 에이전트가 CLI를 도구로 활용하는 빈도가 높아지면서 이 설계 방식이 실용적으로 중요해지고 있다.
Agent-harness-kit scaffolding for multi-agent workflows (MCP, provider-agnostic)
여러 AI 에이전트가 서로 역할을 나눠 협업할 수 있도록 조율하는 scaffolding 도구로, Vite처럼 설정 없이 빠르게 멀티 에이전트 파이프라인을 구성할 수 있다.
Show HN: Tilde.run – Agent sandbox with a transactional, versioned filesystem
AI 에이전트가 실제 프로덕션 데이터를 건드려도 롤백할 수 있는 격리된 샌드박스 환경을 제공하는 도구로, GitHub/S3/Google Drive를 하나의 버전 관리 파일시스템으로 묶어준다.