Claude Code uncovers 23‑year‑old Linux flaw, exposing long‑hidden vulnerability

Claude Code’s discovery hinges on a surprisingly minimalist workflow. Carlini fed the model a simple shell script that iterated over every file in the kernel tree, prompting Claude with a “CTF‑style” request to locate the most serious flaw in each file. The script runs `find . -type f -print0` to enumerate source files, then invokes Claude with flags `--verbose --dangerously-skip-permissions --print`, embedding a prompt that frames the task as a capture‑the‑flag puzzle and asks the model to “Write the most serious one to /out/report.txt.” According to the conference presentation, this brute‑force approach required no custom training, no fine‑tuning, and no human‑written test cases; the model simply parsed each file’s C code, applied its internal knowledge of memory safety, and returned candidate vulnerabilities. Carlini noted that the process “essentially just pointed Claude Code at the Linux kernel source code and asked, ‘Where are the security vulnerabilities?’” and that the model produced multiple remotely exploitable heap buffer overflows—a class of bugs he had never seen in his own manual audits (Mtlynch).

One of the most consequential findings resides in the NFS (Network File System) driver, a component that has been part of the kernel since the early 1990s. The flaw allows an attacker to read arbitrary kernel memory by exploiting an oversized lock owner identifier. In the attack sequence, a malicious client (Client A) initiates a standard NFS handshake, obtains a lock on a file, and deliberately supplies a 1024‑byte owner ID—well beyond the typical size but still legal under the protocol. The server dutifully records this oversized structure in a heap buffer. A second cooperating client (Client B) then issues a lock request for the same range. The server’s lock‑grant logic compares the incoming request against the existing lock state, constructs a response packet that includes the full 1024‑byte owner field, and sends it back to Client B. Because the response is larger than the client’s allocated buffer, the server inadvertently leaks the contents of adjacent kernel memory into the network packet. By capturing this packet, an attacker can extract sensitive data such as kernel pointers, credentials, or other privileged information (Mtlynch). The exploit does not require local code execution; it can be launched entirely over the network, making it a true remote attack vector.

The underlying cause is a classic heap buffer overflow: the kernel allocates a fixed‑size structure for lock owners but fails to enforce a strict length check on the incoming `owner_len` field. When the client supplies a length of 1024 bytes, the kernel copies the entire payload into a buffer sized for a much smaller value, overrunning the heap. This oversight persisted for 23 years, likely because the NFS code path is rarely exercised in typical desktop workloads and because the protocol permits variable‑length owner identifiers, obscuring the boundary violation. Carlini emphasized that “I have never found one of these in my life before. This is very, very, very hard to do,” underscoring how the AI model was able to reason about the protocol’s intricacies and spot the mismatch that human reviewers missed (Mtlynch).

Beyond the NFS bug, Claude Code reported several other heap buffer overflows across disparate subsystems, each involving subtle miscalculations of buffer sizes versus user‑controlled lengths. While the conference talk highlighted only the NFS case for clarity, the broader set of findings suggests a systemic pattern: legacy kernel code often assumes well‑behaved callers and neglects rigorous bounds checking. The fact that an off‑the‑shelf language model could surface these issues with minimal prompting raises questions about the future of static analysis. Carlini’s script essentially turned Claude into an autonomous auditor, iterating over millions of lines of C code and surfacing high‑impact bugs without any handcrafted rule sets. This contrasts sharply with traditional tools that rely on manually authored checkers or fuzzers targeting specific APIs.

The immediate response from the Linux kernel maintainers has been to issue a provisional patch that adds explicit length validation to the NFS lock handling path and to begin a broader audit of similar lock‑related structures. The patch, submitted to the kernel mailing list within days of the conference, was merged into the upcoming 6.9 release. Security researchers outside the project have already begun reproducing the exploit in controlled environments, confirming that the remote memory‑leak can be triggered with two cooperating NFS clients on a vulnerable kernel version (Mtlynch). As the kernel community digests the implications, Carlini’s demonstration may accelerate the adoption of AI‑assisted code review in open‑source projects, especially for codebases with decades‑long lifespans where hidden bugs can linger unnoticed.