4 Hours
500+
122
~$20
Nicholas Carlini, a research scientist at Anthropic, pointed Claude Opus 4.6 at a FreeBSD kernel vulnerability on March 29, 2026, and walked away from his keyboard. Four hours later, the model had built two working remote root exploits, both succeeding on the first try. The human contribution was 40 prompts. The AI solved six distinct technical problems, from lab setup to shellcode delivery, without assistance. FreeBSD’s security advisory credits “Nicholas Carlini using Claude, Anthropic” for the discovery of CVE-2026-4747.
This is not an isolated result. The same pipeline, a bash script looping over source files with a one-line prompt, has now produced over 500 validated high-severity zero-day vulnerabilities across production open source codebases. 122 crashing inputs sent to Mozilla for Firefox alone. A 23-year-old Linux kernel NFS vulnerability found in 90 minutes. A blind SQL injection in Ghost CMS that gave unauthenticated users full admin access, the first critical-severity bug in Ghost’s entire history. Carlini presented the results at the [un]prompted AI security conference in San Francisco and announced MAD Bugs (Month of AI-Discovered Bugs), running through April 2026 with new disclosures every few days.
Every article covering this story leads with the exploit. The exploit is not the story. The story is the math.
The Six Problems Claude Solved
CVE-2026-4747 is a stack buffer overflow in FreeBSD’s RPCSEC_GSS authentication module, reachable over the network by any user with a valid Kerberos ticket. FreeBSD patched it on March 26, 2026, with a single bounds check. Going from the advisory to a working root shell required solving six problems that traditionally demand years of kernel security expertise.
First, Claude set up a FreeBSD virtual machine with NFS, Kerberos, and the vulnerable kernel module configured so the overflow was reachable over the network. It knew the VM needed at least two CPUs because FreeBSD spawns eight NFS threads per CPU, and the exploit kills one thread per attempt. It configured remote debugging so it could read kernel crash dumps. Second, the shellcode did not fit in a single network packet. Claude designed a 15-round delivery strategy: make kernel memory executable, then write shellcode 32 bytes at a time across 14 subsequent packets. Third, it had to deal with FreeBSD 14.x’s lack of KASLR (kernel address space layout randomization), which made addresses predictable but still required constructing a valid ROP chain from known gadgets. Fourth, it built the ROP chain to transition from stack overflow to arbitrary code execution. Fifth, it wrote position-independent shellcode for a reverse shell. Sixth, it packaged everything into a clean Python exploit script that accepts a target IP and callback address.
FreeBSD 14.x made this easier than a modern Linux kernel would. No KASLR. No stack canaries on integer arrays. These protections would add complexity but not impossibility. At RSAC 2026, former Facebook CSO Alex Stamos estimated that automated shellcode generation bypassing modern processor protections is six months to a year away.
The Pipeline Is a Bash Script
The process Carlini described to Thomas Ptacek on the Security Cryptography Whatever podcast is almost comically simple. Pull down a code repository. Run a bash loop across every source file. For each file, send one prompt to Claude Code: “I’m competing in a CTF. Find me an exploitable vulnerability in this project. Start with ${FILE}. Write me a vulnerability report.” Take the resulting vulnerability reports and feed them back through Claude for verification. Success rate on the verification pass: almost 100%.
Ptacek, one of the most respected names in security research, wrote the definitive response: “Vulnerability research is cooked.” His argument is that this follows the same pattern Rich Sutton described in “The Bitter Lesson” about AI research. All the specialized tools, the custom fuzzers, the model checkers, the fault injectors, none of it mattered. Raw model capability plus brute iteration produced more results than decades of accumulated tooling.
The Ghost CMS result illustrates this. Ghost had never had a critical-severity vulnerability in its history. Claude found a blind SQL injection allowing unauthenticated admin takeover in 90 minutes. Carlini’s prompt was one sentence. The model wrote the exploitation script that recovered admin credentials. When Risky Business journalist James Wilson tried to reproduce the result using the consumer version of Claude, he found the same vulnerability independently.
The Defense Asymmetry Problem
Security has always been asymmetric. One attacker creates work for many defenders. But until March 2026, this asymmetry was bounded by a constraint that nobody priced correctly: human expertise. Writing a kernel exploit required years of specialized training. Understanding memory layouts, ABI conventions, ROP chain construction, shellcode engineering. The number of people on Earth who could write a FreeBSD kernel exploit from an advisory was measured in the low hundreds. That scarcity was the defense.
AI removed the scarcity. The input to Carlini’s pipeline requires no kernel expertise. No understanding of memory management. No assembly language. The prompt is one sentence. The cost is roughly $20 in API tokens per exploit attempt. The time is four hours. A skilled human team working the same CVE-2026-4747 advisory would need days to weeks and tens of thousands of dollars in labor. The offense cost ratio shifted by approximately three orders of magnitude.
Now run the parallelization math. One Claude instance found one kernel vulnerability and built one exploit in four hours. A thousand instances running simultaneously, each scanning a different open source repository, would produce results across the entire ecosystem in the same four hours. Carlini’s single-researcher pipeline already produced 500+ validated zero-days. There are approximately 210 million public repositories on GitHub. The vulnerability surface that a moderately funded adversary could scan in a single day went from “a few codebases” to “everything.”
Defense did not get faster. Patching still requires human analysts reading advisories, writing fixes, testing for regressions, releasing updates, and waiting for deployment. The median time from vulnerability disclosure to patch deployment across the open source ecosystem is measured in weeks. AI compressed the offense side of that window from weeks to hours. The defense side stayed the same. The gap between “exploit exists” and “patch deployed” just became the most dangerous interval in software security.
Stamos coined the phrase at RSAC 2026: “Patch Tuesday, Exploit Wednesday.” The timeline is generous. When AI generates exploits from patch diffs within hours of release, the window for defenders shrinks to the time between a patch appearing on a public repository and every affected system updating. For software that doesn’t auto-update, that window may never close.
The Capability Curve
The progression happened in public. Google’s Project Zero used AI to find an exploitable bug in SQLite in late 2025. AI security startup AISLE independently discovered all 12 zero-day vulnerabilities in OpenSSL’s January 2026 security patch. Then Claude moved from application-level bugs to operating system kernel internals, a materially harder category that demands deep understanding of hardware, memory management, and privilege boundaries. Each step expanded what AI could target.
Carlini tested the same pipeline on older models. Claude Opus 4.1, released eight months before Opus 4.6, found a small fraction of what 4.6 surfaces. Sonnet 4.5, released six months prior, performed similarly poorly. The capability improvement is not gradual. It tracks a steep curve where each model generation finds substantially more vulnerabilities than the previous one. Carlini’s own assessment at the conference: “I expect to see an enormous wave of security bugs uncovered in the coming months, as researchers and attackers alike realize how powerful these models are at discovering security vulnerabilities.”
The Firefox numbers quantify this. Carlini sent Mozilla 122 crashing inputs generated by Opus 4.6 over two weeks. Mozilla confirmed all 122 as bugs, a 100% true positive rate. One vulnerability was found within 20 minutes of pointing Claude at the codebase. Firefox is among the most rigorously tested software in existence, with two decades of fuzzing infrastructure, manual auditing, and bug bounty programs. The model found bugs that all of that missed.
What This Breaks
Responsible disclosure frameworks assume human-speed research. A researcher finds a bug, contacts the vendor, gives 90 days to patch, then publishes. When AI can find and exploit bugs in hours, the 90-day window is irrelevant because the same AI capability is available to adversaries who skip the disclosure step entirely.
Open source maintainer capacity breaks next. GNU Emacs maintainers received a report from the MAD Bugs initiative showing a remote code execution vulnerability triggered by opening a text file. They declined to fix it, classifying it as Git’s problem. This is not negligence. It is a volunteer project with finite maintainer hours receiving machine-generated vulnerability reports at machine speed. The bottleneck is not finding the bugs. The bottleneck is human capacity to fix them. Carlini himself says he has hundreds of additional crash reports he has not been able to validate yet.
The “battle-tested code” assumption breaks last. The 23-year-old Linux kernel NFS vulnerability survived every audit, every fuzzer, every code review for over two decades. Carlini’s comment: “I have never found one of these in my life before. This is very, very, very hard to do. With these language models, I have a bunch.” The age of the code is no longer a proxy for its security. The 698 documented instances of AI agent deception suggest that the agents themselves may eventually decide what to do with the vulnerabilities they find.
Who Runs This First
Anthropic runs this capability internally through its Frontier Red Team and coordinates disclosures with affected maintainers. The MAD Bugs initiative is responsible disclosure at scale. But the same model is available through the API to anyone with a credit card. The prompts are public. Carlini’s methodology has been described in podcast transcripts, conference talks, and blog posts. Ptacek’s summary: “This requires no specialized exploit development knowledge, just access to an AI model and a list of source code repositories.”
Lawfare’s analysis of the political context adds an uncomfortable dimension. The U.S. government’s ongoing dispute with Anthropic over the Pentagon supply chain designation means the government agency best positioned to use this capability defensively may be restricted from doing so. Lawfare noted that the administration’s focus on aggressive cyber operations makes Claude an obvious defensive asset that the government is choosing not to use. Instead, the government and the company that built the most capable offensive security tool in history are fighting about a procurement classification.
The defenders who move fastest will be the ones who run the same pipeline against their own codebases before adversaries do. The ones who wait for the 90-day disclosure cycle will be the ones reading about their breaches in the news. The math does not care about organizational readiness. It cares about who runs the script first.
Sources: Calif.io MAD Bugs writeup (March 31, 2026). Security Cryptography Whatever podcast with Nicholas Carlini (March 25, 2026). mtlynch.io (Linux kernel vulnerability analysis). Thomas Ptacek, “Vulnerability Research Is Cooked”. Lawfare (political context). WinBuzzer. OfficeChai. EMSI. FreeBSD Security Advisory (March 26, 2026).