Claude Code Found a Linux Vulnerability Hidden for 23 Years
TL;DR Highlight
Anthropic researcher Nicholas Carlini discovered multiple security vulnerabilities in the Linux kernel using Claude Code, including a remotely exploitable heap buffer overflow that had remained undetected for 23 years. This demonstrates AI's potential to fundamentally change the way security research is conducted.
Who Should Read
Security researchers or backend developers interested in vulnerability analysis or code auditing. Specifically, those who want to detect vulnerabilities in large open-source codebases using automated methods.
Core Mechanics
- Anthropic research scientist Nicholas Carlini announced at the [un]prompted 2026 AI Security Conference that he discovered several remotely exploitable heap buffer overflow vulnerabilities (a vulnerability that allows writing data beyond the allocated memory boundary) in the Linux kernel using Claude Code.
- Carlini stated that he had never discovered such vulnerabilities directly before. Remotely exploitable heap buffer overflows are a very difficult type of bug to find, even in the industry, and he discovered multiple using Claude Code.
- The detection method is surprisingly simple. He used a single shell script to instruct Claude Code to 'find vulnerabilities as if participating in a CTF (Capture The Flag, a security competition)' on the Linux kernel source code, without any elaborate setup.
- The script used the `find` command to iterate through all source files in the Linux kernel, focusing the analysis on each file one by one for Claude. This prevents duplicate discovery of the same vulnerability while covering the entire kernel.
- One of the vulnerabilities discovered was found in the Linux NFS (Network File Share, a protocol for sharing files over a network) driver. This bug allows an attacker to remotely read kernel memory over the network.
- The principle of the vulnerability is as follows: Client A locks a file on the NFS server with a 1024-byte owner ID, and when Client B requests a lock on the same file, the server generates a lock rejection response. This response includes Client A's owner ID (up to 1024 bytes), but the server attempts to write this response to a buffer of only 112 bytes, overwriting 1056 bytes.
- This bug had been present in the Linux kernel since its initial introduction in 2002 and remained undetected for 23 years. The fact that it requires understanding the complex state flow of the NFS protocol, rather than simple pattern matching, highlights Claude Code's deep understanding capabilities.
Evidence
- "There was a comment stating, \"You can just paste the code and ask 'What did I miss? Where are the bugs?'\" Positive experiences were shared about AI quickly identifying analyses that previously took hours, such as threading or distributed systems bugs, and predictions were made that many cryptocurrency implementations are now being reviewed by AI. One comment pointed out that this vulnerability was not so much 'hidden' as 'nobody bothered to look for it.' It was a bug that could have been prevented by always checking the valid range when handling variable-length data, and some static analysis tools might have also detected it. Several comments mentioned applying this method to multiple production codebases, with results including many duplicates, false positives, and bugs that were not actually exploitable, but also the discovery of actual critical vulnerabilities. There were also skeptical views on the quality of Claude Code itself, with one comment stating, \"It has a lot of hallucinations and generates code that wouldn't have passed code review six months ago.\" There was honest concern about whether AI is being overhyped or if they are using it incorrectly. GitHub Security Lab also commented that they are working on a similar AI security agent, sharing a stream of 23 vulnerabilities discovered in 2025 and releasing a Taskflow harness for direct execution."
How to Apply
- If you are a development team that needs to perform security audits periodically, you can try attaching an automated pipeline to your CI/CD that iterates through source files using a script like the one above and asks Claude Code to review each file in CTF format. Even with many false positives, it's better than missing actual critical vulnerabilities.
- Before code review when developing new features, pasting the written code into Claude Code and asking 'What did I miss? Are there any bugs or security vulnerabilities?' can help catch easily overlooked issues like buffer size mismatches or race conditions.
- If you are using open-source libraries or protocol implementations, you can give the source files to Claude Code and ask it to 'find vulnerabilities that could occur in the edge cases (extreme input conditions) of this protocol' to get hints about deep protocol-level bugs like the NFS case.
- You must always filter the number of vulnerabilities found. There are many false positives and cases that are not actually exploitable, so it is realistic to use Claude Code's results as a first-screening tool and design a two-stage process where humans verify the results.
Code Example
# Script to iterate through all source files in the Linux kernel and request vulnerability detection from Claude Code.
# (Similar to the method used by Nicholas Carlini)
find . -type f -print0 | while IFS= read -r -d '' file; do
claude \
--verbose \
--dangerously-skip-permissions \
--print "You are playing in a CTF. \
Find a vulnerability. \
hint: look at $file \
Write the most serious \
one to /out/report.txt."
doneTerminology
Related Papers
Show HN: ctx – Search the coding agent history already on your machine
Claude Code, Cursor, Codex 등 코딩 에이전트가 이전 세션의 논의·결정·실패 시도를 잊지 않도록 SQLite로 인덱싱해 재사용할 수 있게 해주는 오픈소스 CLI 도구다.
Micro-Agent: Beat Frontier Models with Collaboration Inside Model API
vLLM 팀이 단일 모델 API 호출 뒤에서 여러 모델이 협업하는 'Micro-Agent' 개념을 공개했습니다. 별도의 에이전트 코드 없이 라우터 레이어에서 모델 조합을 실행해 GPT-4급 결과를 더 저렴하게 낼 수 있다는 아이디어입니다.
Ornith-1.0: self-improving open-source models for agentic coding
Gemma 4와 Qwen 3.5를 기반으로 파인튜닝한 코딩 특화 오픈소스 모델로, RL(강화학습)을 통해 스캐폴드(에이전트 실행 구조)까지 함께 최적화하는 방식을 주장하지만, 커뮤니티에서는 벤치마크 과최적화에 불과하다는 의심을 받고 있다.
Entity Binding Failures in Tool-Augmented Agents
AI 에이전트가 올바른 도구를 선택해도 잘못된 대상에 실행하는 'Entity Binding 실패' 문제를 정의하고, 이를 막는 실행 정책을 평가한 논문.
Herdr: Agent multiplexer that lives in your terminal
여러 AI 코딩 에이전트(Claude, Codex 등)를 하나의 터미널에서 동시에 실행·관리할 수 있는 Rust 기반 오픈소스 툴로, tmux처럼 세션이 유지되고 SSH로 원격 접속도 가능해 멀티 에이전트 워크플로우를 크게 단순화해준다.
Ornith-1.0: Self-scaffolding LLMs for agentic coding
모델이 문제 풀이 전략(scaffold)을 직접 생성하고 개선하는 자기강화 학습 프레임워크를 적용한 오픈소스 코딩 특화 LLM으로, 9B 소형 모델부터 397B 대형 모델까지 라인업을 갖추고 SWE-Bench 등 주요 벤치마크에서 Claude Opus 4.7을 능가하는 성능을 보여줬다.