Claude Code, Anthropic's AI coding assistant, discovered multiple remotely exploitable vulnerabilities in the Linux kernel, including a heap buffer overflow in the NFS driver that went undetected for 23 years. The finding reveals how rapidly AI models are becoming capable at security vulnerability discovery, prompting urgent conversations among open source maintainers about the future of software security .

How Did Claude Find a Bug That Humans Missed for Two Decades?

Anthropic research scientist Nicholas Carlini presented his findings at the [un]prompted AI security conference, detailing how he used Claude Code to systematically search the Linux kernel source code. The approach was remarkably simple: Carlini wrote a bash script that iterated through every source file in the kernel and instructed Claude Code to search for vulnerabilities by framing the task as a capture-the-flag competition .

The NFS vulnerability itself is technically intricate. The attack exploits a protocol interaction between two cooperating NFS clients against a Linux NFS server. Client A acquires a file lock with a 1024-byte owner ID, which is unusually long but technically legal. When Client B attempts to acquire the same lock and gets denied, the server generates a denial response that includes the owner ID. However, the server's response buffer is only 112 bytes, while the denial message totals 1056 bytes. The kernel writes 1056 bytes into a 112-byte buffer, giving an attacker control over overwritten kernel memory. The bug was introduced in a 2003 commit that predates git itself .

What makes this discovery significant is not just the age of the vulnerability but how little specialized guidance Claude Code needed. Carlini used no custom tooling or specialized prompts beyond biasing the model toward examining one file at a time. The model found five confirmed Linux kernel vulnerabilities spanning NFS, io_uring, futex, and ksmbd, all of which now have kernel commits in the stable tree .

Why Are Linux Kernel Maintainers Seeing a Sudden Flood of AI-Discovered Bugs?

The capability jump between Claude models in recent months is arguably the most significant part of the story for practitioners and security teams. Carlini tested his vulnerability-finding approach on earlier Claude models and found that Opus 4.1, released eight months prior, and Sonnet 4.5, released six months prior, could only find a small fraction of what Opus 4.6 discovered. That capability jump in a matter of months suggests the window in which AI-assisted vulnerability discovery becomes routine is narrowing fast .

This aligns with what Linux kernel maintainers are observing from the other side. Greg Kroah-Hartman, one of the most senior Linux kernel maintainers, described the shift in a Reddit discussion of the findings:

"Something happened a month ago, and the world switched. Now we have real reports... All open source security teams are hitting this right now," stated Greg Kroah-Hartman.

Greg Kroah-Hartman, Senior Linux Kernel Maintainer

Willy Tarreau, another kernel maintainer, corroborated this observation on LWN, noting that the kernel security list went from receiving 2 to 3 reports per week to 5 to 10 per day, and that most of them are now correct .

Steps for Security Teams to Prepare for AI-Driven Vulnerability Discovery

• Establish validation pipelines: Develop internal processes to triage and validate AI-discovered vulnerabilities before they reach public disclosure, since false positive rates remain below 20% but still represent a significant volume of unconfirmed findings.
• Implement automated filtering systems: Deploy secondary LLM pipelines that attempt to reproduce crashes and violations, allowing models themselves to filter out false positives before human review, as noted by Redis creator Salvatore Sanfilippo.
• Prioritize high-impact codebases: Focus vulnerability discovery efforts on critical infrastructure and widely-used open source projects where the security impact of latent bugs is highest.
• Coordinate with maintainer communities: Establish communication channels with open source project maintainers to manage the influx of AI-discovered vulnerabilities and prevent security list overwhelm.

The false positive question remains open. Carlini has "several hundred crashes" he has not had time to validate, and he is deliberately not sending unvalidated findings to kernel maintainers. On Hacker News, Michael Lynch, who wrote a detailed breakdown of Carlini's findings, stated that in his own experience using Claude Opus 4.6 for similar work, the false positive rate is below 20% .

Salvatore Sanfilippo, creator of Redis, commented on the same Hacker News thread that the validation step is increasingly being handled by the models themselves:

"The bugs are often filtered later by LLMs themselves: if the second pipeline can't reproduce the crash or violation or exploit in any way, often the false positives are evicted before ever reaching the human scrutiny," explained Salvatore Sanfilippo.

Salvatore Sanfilippo, Creator of Redis

What Does This Mean for the Future of Software Security?

Thomas Ptacek, a security researcher who has spent most of his career in vulnerability research, argued on Hacker News that LLM-based vulnerability discovery represents a fundamentally different category of tool than existing approaches. He noted that static analyzers generate large numbers of hypothetical bugs that require expensive human triage, while fuzzers find bugs without context, producing crashers that remain unresolved for months. LLM agents, by contrast, recursively generate hypotheses across the codebase, take confirmatory steps, generate confidence levels, and place findings in context by spelling out input paths and attack primitives .

The dual-use concern has been raised repeatedly across security discussions. As one Reddit commenter noted, if AI can surface 23-year-old latent vulnerabilities in Linux that human auditors missed, adversaries with the same capability can run that process against targets at scale. This asymmetry raises urgent questions about how organizations should prepare for a world where vulnerability discovery becomes increasingly automated and accessible .

The [un]prompted talk featuring Carlini's full presentation is available on YouTube, providing detailed technical context for security professionals and researchers interested in understanding how Claude Code approached the vulnerability discovery process .