Claude Code Found a Linux Vulnerability Hidden for 23 Years

Nicholas Carlini, a research scientist at Anthropic, revealed at the [un]prompted AI security conference that he used Claude Code to find several remotely exploitable heap buffer overflows in the Linux kernel, including a bug that went undetected for 23 years. The vulnerability resides in the NFS driver, allowing attackers to read sensitive kernel memory over the network by exploiting intricate NFS protocol details. Carlini's approach involved a simple script that iterated over kernel source files, instructing Claude Code to search for vulnerabilities as if in a CTF competition. This demonstrates the power of AI in uncovering complex, long-hidden security flaws in critical infrastructure.