Claude Code Found a Linux Vulnerability Hidden for 23 Years

Nicholas Carlini, a research scientist at Anthropic, used Claude Code to discover multiple remotely exploitable heap buffer overflows in the Linux kernel, including one that had gone undetected for 23 years. The vulnerability exists in the NFS driver: when a lock request is denied, the server writes a response of up to 1056 bytes into a 112-byte buffer, allowing an attacker to overwrite kernel memory. The discovery required minimal human oversight — a simple shell script looped Claude Code over every source file in the kernel asking it to find vulnerabilities. Carlini has found hundreds more potential bugs but lacks the time to validate and report them all. The rapid improvement of LLMs at vulnerability discovery signals a coming wave of security bug disclosures.