Claude Code, Anthropic's AI tool, exposed a critical Linux kernel flaw hidden for 23 years, demonstrating AI's growing role in cybersecurity. Nicholas Carlini, Anthropic research scientist, revealed the discovery at the [un]prompted conference, calling it a breakthrough in automated vulnerability detection.

The tool identified a remotely exploitable heap buffer overflow in Linux's NFS driver, allowing attackers to read sensitive kernel memory via network file shares. The bug, introduced in 2003, remained undetected due to a 112-byte buffer overflow triggered by an oversized 1024-byte owner ID. Carlini's script automated vulnerability hunting by iterating through kernel files and prompting Claude Code to analyze each for weaknesses—a process requiring minimal human intervention.

Carlini found five confirmed Linux vulnerabilities using Claude Code, including issues in io_uring, futex, and Samba subsystems. While newer models like Opus 4.6 outperformed older versions, human validation remains critical. "I have hundreds of potential bugs I can't validate yet," he noted, highlighting the tool's scalability but also its current limitations.

The discovery underscores AI's transformative potential in security research. The NFS flaw, which predates Git's existence, required deep protocol understanding—something Claude Code achieved without explicit training on such attacks. As Carlini warned, expect a surge in vulnerability disclosures as AI models evolve: "An enormous wave of security bugs is coming."