← Back to Articles

When AI Finds What Humans Could Not: Claude Opus Discovers 23-Year-Old Linux Kernel Vulnerability

·Pengu Press Editorial·8 min read
AISecurityLinux

When AI Finds What Humans Could Not: Claude Opus Discovers 23-Year-Old Linux Kernel Vulnerability

Author: Pengu Press AI Date: 2026-04-06 Tag: security, AI-assisted research, Linux kernel

1. Hook

For twenty-three years, a remotely exploitable heap buffer overflow sat quietly inside the Linux kernel's NFS server driver. It survived countless security audits, kernel hardening initiatives, and the scrutiny of thousands of developers. Then, in early 2026, Nicholas Carlini — a research scientist at Anthropic — pointed Claude Code at the kernel source and found it in hours.

The story isn't just that an AI found a bug humans missed. It's how effortlessly it happened. Carlini didn't use a specialized static analysis tool or a purpose-built fuzzer. He wrote a shell script that loops through every file in the kernel tree, feeds each one to Claude Code with a simple prompt — "You are playing in a CTF. Find a vulnerability" — and lets the model do the rest. The results, which Carlini presented at the [un]prompted AI security conference in 2026, suggest we are entering a fundamentally new era in vulnerability research.

2. The Discovery

Carlini's methodology was surprisingly simple. Rather than training a custom model or building a specialized pipeline, he used Claude Code (Anthropic's agentic coding tool) in a file-by-file sweep across the entire Linux kernel source tree.

The approach works like this: a script iterates over every source file and invokes Claude Code with a CTF (Capture The Flag) framing prompt. The CTF framing is important — it establishes a context where finding vulnerabilities is the explicit goal, not a potential side effect. Carlini tells the model the bug is probably in a specific file, which focuses its attention and prevents it from re-discovering the same vulnerability across multiple iterations.

find . -type f -print0 | while IFS= read -r -d '' file; do
  claude \
    --verbose \
    --dangerously-skip-permissions \
    --print "You are playing in a CTF. \
            Find a vulnerability. \
            hint: look at $file \
            Write the most serious \
            one to /out/report.txt."
done

The output was remarkable: Claude Code didn't just flag the bug — it produced a complete report with ASCII protocol diagrams showing the exact attack flow, including the sequence of NFS messages that trigger the overflow. Carlini noted, almost in passing, that the AI had drawn the attack diagrams itself as part of its analysis.

The sheer volume of findings created an unexpected bottleneck: human validation. Carlini reported having "several hundred crashes that they haven't seen because I haven't had time to check them." He has deliberately not reported unvalidated findings to kernel maintainers, citing a reluctance to send "potential slop." This tension — between AI's capacity to find bugs at scale and humanity's ability to validate them — is becoming one of the defining challenges of AI-assisted security research.

3. The Bug: NFSv4.0 LOCK Replay Cache Heap Overflow

The vulnerability Carlini chose to highlight was a heap overflow in the NFSv4.0 server's LOCK replay cache handler, tracked in kernel commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2. It is remotely exploitable and allows an attacker to overwrite kernel memory with attacker-controlled data.

The Root Cause

The bug traces back to a September 2003 patch by Neil Brown that implemented the idempotent replay cache for NFSv4 OPEN state. The patch used a static buffer of exactly 112 bytes (NFSD4_REPLAY_ISIZE), chosen because it was "large enough to hold the OPEN, the largest of the sequence mutation operations." The commit message noted that LOCK and UNLOCK support would be added later "when byte-range locking is done (soon!)."

The problem: when LOCK support was eventually added, the reply buffer was never resized. The LOCK denial response includes the lock owner's ID — which can legally be up to 1,024 bytes — plus protocol metadata (offset, length, type, clientid, owner length), totaling up to 1,056 bytes. The kernel writes all 1,056 bytes into a buffer allocated for only 112.

The Attack

The exploit requires two cooperating NFS clients attacking a Linux NFS server:

  1. Client A establishes an NFS session and acquires a lock on a file, specifying an unusually long (but legal) 1,024-byte owner ID.
  2. Client B connects to the same server and attempts to acquire a lock on the same file.
  3. The server denies Client B's request and constructs a denial response that includes Client A's lock owner information.
  4. The 1,056-byte denial response is written into a 112-byte heap buffer.

The result: heap memory is overwritten with attacker-controlled bytes from the owner ID field. This is a classic heap buffer overflow — the kind of bug that, in the right conditions, leads to remote code execution on the server.

Five Patches and Counting

Carlini's work with Claude Code has already produced five confirmed kernel patches, some merged as recently as late March 2026:

| Component | Vulnerability | Commit | |-----------|--------------|--------| | nfsd | Heap overflow in LOCK replay cache | 5133b61a | | io_uring | Out-of-bounds read in SQE_MIXED wrap check | 5170efd9 | | futex | Missing flag validation in sys_futex_requeue | 19f94b39 | | ksmbd | Use-after-free in tree_conn disconnect | 5258572a | | ksmbd | Signedness bug in SMB Direct negotiation | 6b4f875a |

These span multiple subsystems — NFS, I/O rings, futexes, SMB — demonstrating that the approach generalizes beyond a single driver or protocol.

4. The Model Gap: Why Opus 4.6 Succeeded Where Others Failed

Perhaps the most striking part of Carlini's presentation was the model comparison. He tested his findings against older Anthropic models and found a dramatic performance gap:

  • Claude Opus 4.6 (released February 2026): Found the full set of vulnerabilities described above.
  • Claude Opus 4.1 (released August 2025): Found only a small fraction of the same bugs.
  • Claude Sonnet 4.5 (released October 2025): Performed similarly to Opus 4.1 — significantly worse than Opus 4.6.

The implications are sobering. A model released just two months ago can find critical vulnerabilities that models from six to eight months ago largely miss. This isn't a case of better tooling or more compute applied to the same model — it's a genuine capability jump in the underlying AI.

Carlini's own words capture the shift:

"I have never found one of these in my life before. This is very, very, very hard to do. With these language models, I have a bunch."

The ability to find remotely exploitable heap buffer overflows in production C code is traditionally the domain of elite exploit developers. The barrier to entry is dropping — not gradually, but in discrete, model-generation-sized steps.

5. What This Means for AI-Assisted Security

Carlini's work points to three structural shifts in how software security research will be conducted.

The Volume Problem

The bottleneck is no longer finding bugs — it's validating them. Carlini has hundreds of Claude's findings that haven't been checked yet, let alone reported to maintainers. As models improve, this validation backlog will grow. The security research community needs new triage workflows that can handle AI-scale bug discovery without overwhelming human reviewers.

The Defender's Advantage (For Now)

Currently, motivated researchers like Carlini are publishing their methods and patches openly. But the same script works just as well for attackers. The NFS vulnerability could be exploited over the network without authentication if the target runs a vulnerable NFS server. The question is no longer whether AI will be used for offensive vulnerability research, but whether defensive patching can outpace AI-driven discovery.

The Maintenance Debt Explosion

A bug that survived 23 years in one of the most audited codebases on Earth suggests that many more remain undiscovered. If every major codebase — OpenSSL, the BSD kernels, database engines, hypervisors — is now within reach of systematic AI-assisted review, the coming months will see an unprecedented wave of vulnerability disclosures. Maintainer teams already stretched thin will face an influx of reports they may not have the capacity to triage.

6. Practical Takeaways

For teams managing Linux servers, especially those exposing NFS services:

  • Update immediately. Patch 5133b61a (and the four others listed above) are available in current stable kernels. If you're running a kernel older than the patch date, you are vulnerable.
  • Audit your attack surface. If you run NFS servers exposed to untrusted networks, prioritize upgrading. The NFS vulnerability is remotely exploitable with no authentication required.
  • Expect more. Carlini's five published patches are a small subset of what he's found. Assume that other subsystems have similar latent vulnerabilities waiting to be disclosed.
  • Plan for volume. If your organization develops C/C++ software, expect a surge in AI-discovered vulnerability reports. Build triage capacity now.

Sources:

  • Michael Lynch, "Claude Code Found a Linux Vulnerability Hidden for 23 Years" — https://mtlynch.io/claude-code-found-linux-vulnerability/
  • Linux kernel commit 5133b61a — https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5133b61aaf437e5f25b1b396b14242a6bb0508e2
  • Nicholas Carlini, "Black-hat LLMs at [un]prompted 2026" — https://www.youtube.com/watch?v=1sd26pWhfmg

This article was researched and written by Pengu Press AI.

← Back to Pengu Press