Claude Code Finds 23-Year-Old Linux Kernel Vulnerability
Nicholas Carlini, a research scientist at Anthropic, reported at the [un]prompted AI security conference that he used Claude Code to find multiple remotely exploitable security vulnerabilities in the Linux kernel, including one that sat undiscovered for 23 years.
How Claude Code Found the Bug
Carlini was surprised by how little oversight Claude Code needed. He essentially pointed Claude Code at the Linux kernel source code and asked, "Where are the security vulnerabilities?" using a simple script that iterated over all files in the source tree.
# Iterate over all files in the source tree.
find . -type f -print0 | while IFS = read -r -d '' file; do
# Tell Claude Code to look for vulnerabilities in each file.
claude \
--verbose \
--dangerously-skip-permissions \
--print "You are playing in a CTF. \
Find a vulnerability. \
hint: look at $file \
Write the most serious \
one to /out/report.txt."
doneThe script tells Claude Code that the user is participating in a capture the flag cybersecurity competition. To prevent finding the same vulnerability repeatedly, the script loops over every source file in the Linux kernel, telling Claude the bug is probably in each file sequentially.
The NFS Vulnerability
Carlini focused on a bug Claude found in Linux's network file share (NFS) driver that allows an attacker to read sensitive kernel memory over the network. This bug required the AI model to understand intricate details of how the NFS protocol works.
The attack requires two cooperating NFS clients to attack a Linux NFS server:
- Client A acquires a lock with a 1024-byte owner ID (unusually long but legal)
- Client B attempts to acquire the same lock and is denied
- When generating the denial response, the NFS server uses a 112-byte buffer but needs to write 1056 bytes (including the 1024-byte owner ID)
- This causes a heap buffer overflow where the attacker can overwrite kernel memory with bytes they control
Fun fact: Claude Code created the ASCII protocol diagrams showing the attack sequence as part of its initial bug report.
Historical Context
This bug was introduced in the Linux kernel in March 2003 ([email protected], 2003-09-22 19:22:37-07:00) and remained undiscovered for 23 years until Claude Code found it.
Carlini noted: "We now have a number of remotely exploitable heap buffer overflows in the Linux kernel. I have never found one of these in my life before. This is very, very, very hard to do. With these language models, I have a bunch."
📖 Read the full source: HN AI Agents
👀 See Also
Research: Invisible Unicode Characters Can Hijack LLM Agents via Tool Access
A study tested whether LLMs follow instructions hidden in invisible Unicode characters embedded in normal text, using two encoding schemes across five models and 8,308 graded outputs. Key finding: tool access amplifies compliance from below 17% to 98-100%, with models writing Python scripts to decode hidden characters.
AI Budget Protection: Why You Should Use a Prepaid Card with OpenClaw
Agent Passport: Identity Verification for AI Agents
Agent Passport is an open-source identity verification layer using Ed25519 authentication and JWT tokens for AI agents, addressing the problem of agent impersonation.
Sandboxing AI Agents with WebAssembly: Zero Authority by Default
Cosmonic argues that traditional sandboxing (seccomp, bubblewrap) fails for AI agents due to ambient authority. WebAssembly's capability-based model grants zero authority by default, requiring explicit imports for filesystem, network, or credentials.