Claude Code Finds 23-Year-Old Linux Kernel Vulnerability
Nicholas Carlini, a research scientist at Anthropic, reported at the [un]prompted AI security conference that he used Claude Code to find multiple remotely exploitable security vulnerabilities in the Linux kernel, including one that sat undiscovered for 23 years.
How Claude Code Found the Bug
Carlini was surprised by how little oversight Claude Code needed. He essentially pointed Claude Code at the Linux kernel source code and asked, "Where are the security vulnerabilities?" using a simple script that iterated over all files in the source tree.
# Iterate over all files in the source tree.
find . -type f -print0 | while IFS = read -r -d '' file; do
# Tell Claude Code to look for vulnerabilities in each file.
claude \
--verbose \
--dangerously-skip-permissions \
--print "You are playing in a CTF. \
Find a vulnerability. \
hint: look at $file \
Write the most serious \
one to /out/report.txt."
doneThe script tells Claude Code that the user is participating in a capture the flag cybersecurity competition. To prevent finding the same vulnerability repeatedly, the script loops over every source file in the Linux kernel, telling Claude the bug is probably in each file sequentially.
The NFS Vulnerability
Carlini focused on a bug Claude found in Linux's network file share (NFS) driver that allows an attacker to read sensitive kernel memory over the network. This bug required the AI model to understand intricate details of how the NFS protocol works.
The attack requires two cooperating NFS clients to attack a Linux NFS server:
- Client A acquires a lock with a 1024-byte owner ID (unusually long but legal)
- Client B attempts to acquire the same lock and is denied
- When generating the denial response, the NFS server uses a 112-byte buffer but needs to write 1056 bytes (including the 1024-byte owner ID)
- This causes a heap buffer overflow where the attacker can overwrite kernel memory with bytes they control
Fun fact: Claude Code created the ASCII protocol diagrams showing the attack sequence as part of its initial bug report.
Historical Context
This bug was introduced in the Linux kernel in March 2003 ([email protected], 2003-09-22 19:22:37-07:00) and remained undiscovered for 23 years until Claude Code found it.
Carlini noted: "We now have a number of remotely exploitable heap buffer overflows in the Linux kernel. I have never found one of these in my life before. This is very, very, very hard to do. With these language models, I have a bunch."
📖 Read the full source: HN AI Agents
👀 See Also
OpenClaw User Adds TOTP 2FA After Agent Exposed API Keys in Plain Text
An OpenClaw user created a security skill called 'Secure Reveal' that requires TOTP authentication via Telegram before displaying stored credentials, after their AI agent accidentally leaked API keys and passwords in plain text during a demo.
FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)
A stack buffer overflow in FreeBSD's kgssapi.ko module allows remote kernel RCE with root shell via NFS server. The vulnerability affects FreeBSD 13.5, 14.3, 14.4, and 15.0 versions before specific patches.
Claude Code --dangerously-skip-permissions vulnerability and open-source defense tool
Lasso Security published research showing indirect prompt injection vulnerabilities in Claude Code when using --dangerously-skip-permissions flag, with attack vectors including poisoned README files, malicious web content, and MCP server outputs. They released an open-source PostToolUse hook that scans tool outputs against 50+ detection patterns.
Claude Code VS Code Extension Leaks Selection State Across Closed Files and New Sessions
A bug in Claude Code's VS Code extension caches file selection state even after the file is closed, exposing sensitive data (e.g., Supabase service-role keys) to a brand new CLI session. Full repro steps and GitHub issue #58886.