Claude Code found a 23-year-old Linux kernel bug that no human ever could
Nicholas Carlini is one of the most cited AI security researchers alive. He's spent his career breaking things. He's found bugs in neural networks, smart contracts, and production systems across dozens of companies. He has never, in his entire career, found a heap overflow in the Linux kernel.
Claude did it on a Tuesday.
At the [un]prompted AI security conference last week, Carlini dropped what might be the most unsettling AI demo I've seen this year. He pointed Claude Code at the Linux kernel source, and it found multiple remotely exploitable vulnerabilities, including a stack buffer overflow in the NFSv4 daemon that had been sitting there, undetected, for 23 years. The same codebase that thousands of the world's best engineers have reviewed, fuzzed, and audited since 2003.
The FreeBSD exploit that shouldn't exist
The Linux kernel bug was just the appetizer. On March 26, FreeBSD published CVE-2026-4747, crediting "Nicholas Carlini using Claude, Anthropic" for a remote kernel code execution vulnerability. Then Carlini asked Claude to write a working exploit for it.
In eight hours (four hours of actual AI compute time), Claude configured a FreeBSD VM with NFS, Kerberos, and the vulnerable kernel module. It devised a multi-packet shellcode delivery strategy. It debugged incorrect stack offsets using De Bruijn patterns. It created a new process from kernel context and transitioned it to userspace. It cleared inherited debug registers that were crashing child processes. Six distinct problems, each requiring deep systems knowledge, solved autonomously.
The result was a full remote root shell. No authentication required.
"I've never found a vulnerability in the Linux kernel in my life, but the model did," Carlini said. "That's a terrifying thought."
The irony is almost too perfect
Here's what makes this week so strange. The same tool that found a 23-year-old kernel bug also leaked its own source code through an npm packaging error. All 512,000 lines. Security researchers immediately found a critical vulnerability in Claude Code itself, plus a bypass where commands with 50+ subcommands skip security analysis entirely. Anthropic built the fix (a tree-sitter parser) but hasn't shipped it to users yet.
So we have an AI that can find bugs humans can't, but that also ships bugs humans wouldn't. The tool is simultaneously the best vulnerability researcher on the planet and a vulnerability itself.
This isn't a contradiction. It's just the reality of where we are. AI security research doesn't follow the old rules where competence at finding bugs implies competence at not creating them. Claude can hold both of these states at once because finding and building are fundamentally different tasks, even for machines.
What this actually means for security
The 35 new CVEs filed in March 2026 that trace directly to AI-generated code tell one side of the story. The 500 validated high-severity vulnerabilities Carlini has generated using Claude tell the other. AI is simultaneously the biggest new source of bugs and the most powerful new tool for finding them.
For defenders, this is a net positive, but barely. The speed advantage goes to whichever side points the AI at code first. A 23-year-old bug that sat dormant through decades of human review got found in hours. How many more are there? And who finds them first -- the researcher presenting at a conference, or the attacker who doesn't publish?
Carlini has reportedly made $3.7 million exploiting smart contract vulnerabilities using Claude. That's a security researcher doing it ethically, with disclosed findings and responsible coordination. The economics work identically for someone who doesn't disclose.
I keep coming back to Carlini's line: "That's a terrifying thought." Not because the AI found the bug. Because of what it means that the AI found a bug that the best humans, with 23 years and unlimited access to the same source code, couldn't.
Key takeaways
- Claude Code autonomously discovered a remotely exploitable Linux kernel vulnerability that existed undetected for 23 years, plus wrote a full FreeBSD kernel exploit (CVE-2026-4747) with root shell access in 8 hours.
- AI vulnerability research operates at a fundamentally different speed and scale than human review. The economics favor whoever deploys it first.
- The same week Claude found these bugs, its own source code leaked and its own vulnerabilities were exposed. AI security tools create risk and eliminate it simultaneously.
- If you maintain any critical infrastructure code, assume AI-powered auditing is coming for your codebase. The 23-year grace period on hidden bugs is over.
References: