Claude Code Found a Linux Vulnerability Hidden for 23 Years
TL;DR Highlight
Anthropic researcher Nicholas Carlini discovered multiple security vulnerabilities in the Linux kernel using Claude Code, including a remotely exploitable heap buffer overflow that had remained undetected for 23 years. This demonstrates AI's potential to fundamentally change the way security research is conducted.
Who Should Read
Security researchers or backend developers interested in vulnerability analysis or code auditing. Specifically, those who want to detect vulnerabilities in large open-source codebases using automated methods.
Core Mechanics
- Anthropic research scientist Nicholas Carlini announced at the [un]prompted 2026 AI Security Conference that he discovered several remotely exploitable heap buffer overflow vulnerabilities (a vulnerability that allows writing data beyond the allocated memory boundary) in the Linux kernel using Claude Code.
- Carlini stated that he had never discovered such vulnerabilities directly before. Remotely exploitable heap buffer overflows are a very difficult type of bug to find, even in the industry, and he discovered multiple using Claude Code.
- The detection method is surprisingly simple. He used a single shell script to instruct Claude Code to 'find vulnerabilities as if participating in a CTF (Capture The Flag, a security competition)' on the Linux kernel source code, without any elaborate setup.
- The script used the `find` command to iterate through all source files in the Linux kernel, focusing the analysis on each file one by one for Claude. This prevents duplicate discovery of the same vulnerability while covering the entire kernel.
- One of the vulnerabilities discovered was found in the Linux NFS (Network File Share, a protocol for sharing files over a network) driver. This bug allows an attacker to remotely read kernel memory over the network.
- The principle of the vulnerability is as follows: Client A locks a file on the NFS server with a 1024-byte owner ID, and when Client B requests a lock on the same file, the server generates a lock rejection response. This response includes Client A's owner ID (up to 1024 bytes), but the server attempts to write this response to a buffer of only 112 bytes, overwriting 1056 bytes.
- This bug had been present in the Linux kernel since its initial introduction in 2002 and remained undetected for 23 years. The fact that it requires understanding the complex state flow of the NFS protocol, rather than simple pattern matching, highlights Claude Code's deep understanding capabilities.
Evidence
- "There was a comment stating, \"You can just paste the code and ask 'What did I miss? Where are the bugs?'\" Positive experiences were shared about AI quickly identifying analyses that previously took hours, such as threading or distributed systems bugs, and predictions were made that many cryptocurrency implementations are now being reviewed by AI. One comment pointed out that this vulnerability was not so much 'hidden' as 'nobody bothered to look for it.' It was a bug that could have been prevented by always checking the valid range when handling variable-length data, and some static analysis tools might have also detected it. Several comments mentioned applying this method to multiple production codebases, with results including many duplicates, false positives, and bugs that were not actually exploitable, but also the discovery of actual critical vulnerabilities. There were also skeptical views on the quality of Claude Code itself, with one comment stating, \"It has a lot of hallucinations and generates code that wouldn't have passed code review six months ago.\" There was honest concern about whether AI is being overhyped or if they are using it incorrectly. GitHub Security Lab also commented that they are working on a similar AI security agent, sharing a stream of 23 vulnerabilities discovered in 2025 and releasing a Taskflow harness for direct execution."
How to Apply
- If you are a development team that needs to perform security audits periodically, you can try attaching an automated pipeline to your CI/CD that iterates through source files using a script like the one above and asks Claude Code to review each file in CTF format. Even with many false positives, it's better than missing actual critical vulnerabilities.
- Before code review when developing new features, pasting the written code into Claude Code and asking 'What did I miss? Are there any bugs or security vulnerabilities?' can help catch easily overlooked issues like buffer size mismatches or race conditions.
- If you are using open-source libraries or protocol implementations, you can give the source files to Claude Code and ask it to 'find vulnerabilities that could occur in the edge cases (extreme input conditions) of this protocol' to get hints about deep protocol-level bugs like the NFS case.
- You must always filter the number of vulnerabilities found. There are many false positives and cases that are not actually exploitable, so it is realistic to use Claude Code's results as a first-screening tool and design a two-stage process where humans verify the results.
Code Example
# Script to iterate through all source files in the Linux kernel and request vulnerability detection from Claude Code.
# (Similar to the method used by Nicholas Carlini)
find . -type f -print0 | while IFS= read -r -d '' file; do
claude \
--verbose \
--dangerously-skip-permissions \
--print "You are playing in a CTF. \
Find a vulnerability. \
hint: look at $file \
Write the most serious \
one to /out/report.txt."
doneTerminology
Related Papers
Show HN: Forge – Guardrails take an 8B model from 53% to 99% on agentic tasks
작은 로컬 LLM(8B)에 guardrails(구조적 안전망)를 씌워 멀티스텝 에이전트 작업 성공률을 53%에서 99%까지 올린 Python 프레임워크 Forge 공개. 모델 자체는 건드리지 않고 실행 환경을 강화하는 접근법이라 주목받고 있음.
Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised
2026년 5월 19일, npm 계정 하나가 탈취되어 22분 만에 637개 악성 버전이 배포됐고, echarts-for-react·size-sensor 등 월 수백만 다운로드 패키지들이 감염되어 AWS 자격증명·SSH 키·AI 코딩 에이전트까지 탈취하는 정교한 공급망 공격이 발생했다.
Show HN: Semble – Code search for agents that uses 98% fewer tokens than grep
AI 에이전트가 코드베이스를 탐색할 때 grep+파일 읽기 대신 자연어로 관련 코드 스니펫만 뽑아주는 검색 라이브러리로, 토큰 사용량을 약 98% 줄여준다.
Zerostack – A Unix-inspired coding agent written in pure Rust
Claude Code나 OpenCode처럼 메모리를 수 GB씩 잡아먹는 코딩 에이전트 대신, Rust로 만든 초경량(~8MB RAM) 코딩 에이전트 Zerostack이 공개됐다. 저사양 환경에서도 쓸 수 있고, 직접 만든 유사 프로젝트들과 비교 토론이 활발하게 이뤄지고 있다.
Δ-Mem: Efficient Online Memory for Large Language Models
LLM의 컨텍스트 윈도우를 늘리지 않고도 과거 정보를 효율적으로 기억할 수 있는 경량 메모리 모듈 δ-mem을 제안한 논문. 모델 자체를 바꾸거나 파인튜닝 없이 기존 LLM에 붙여서 장기 기억 성능을 높일 수 있어 에이전트 시스템 개발자에게 관심을 끌고 있다.
How Claude Code works in large codebases
Anthropic이 수백만 줄짜리 모노레포, 레거시 시스템, 수십 개 마이크로서비스 환경에서 Claude Code를 운영한 패턴을 정리한 글이다. RAG 방식 대신 에이전틱 검색을 쓰는 이유와 실제 현장의 한계를 함께 확인할 수 있다.