Claude Code Found a Linux Vulnerability Hidden for 23 Years
Summary
The article reports that Nicholas Carlini used Claude Code to uncover multiple remotely exploitable vulnerabilities in the Linux kernel, including a vulnerability in the NFS driver that had gone undiscovered for 23 years. It explains how a simple prompt directed Claude Code to examine the kernel source, and details the NFS attack steps where two cooperating clients manipulate locks to cause a buffer overrun in a 112-byte server buffer, enabling memory writes with attacker-controlled data. It notes that Claude Code found hundreds more potential bugs, but human review is needed to triage and report them; Nicholas has found five Linux vulnerabilities through this process, and Anthropic’s Claude Opus 4.6 outperformed older models. The piece suggests a wave of security bugs to come as AI-based bug hunting improves, while warning that AI findings require careful validation before disclosure.