mtlynch.io
|
ksl
|
|
Anthropic research scientist Nicholas Carlini pointed Claude Code at the Linux kernel source and asked it to find vulnerabilities, framing the task like a capture-the-flag challenge. It found a heap buffer overflow in the NFSv4.0 LOCK replay cache – hidden for 23 years since March 2003 – that allowed attackers to read sensitive kernel memory over the network by overflowing a 112-byte buffer with up to 1024 bytes through a coordinated two-client NFS attack. The fix was committed to the stable kernel. Carlini reportedly found hundreds of additional potential bugs but hit a bottleneck validating them manually. AI-assisted vulnerability discovery in large C codebases is moving from theoretical to operational, and the constraint is no longer finding bugs – it’s the human review capacity to confirm and patch them.
