upvote

points

by fragmede11 hours ago |
comments
upvoteby magicalhippo11 hours ago|
next
[-]
> Claude was used to find the bug in the first place though. That CVE write-up happened because of Claude

Do you have a link to that? A rather important piece of context.

Wasn't trying to downplay this submission the way, the main point still stands:

But finding a bug and exploiting it are very different things. Exploit development requires understanding OS internals, crafting ROP chains, managing memory layouts, debugging crashes, and adapting when things go wrong. This has long been considered the frontier that only humans can cross.

Each new AI capability is usually met with “AI can do Y, but only humans can do X.” Well, for X = exploit development, that line just moved.

reply
upvoteby jsnell10 hours ago|
parent|
next
[-]
> Do you have a link to that? A rather important piece of context.

It was a quote from your own link from the initial post?

https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08...

> Credits: Nicholas Carlini using Claude, Anthropic

reply
upvoteby magicalhippo9 hours ago|
parent|
[-]
Oh wow, blind as a bat.

Would have been interesting with a write-up of that, to see just what Claude was used for.

reply
upvoteby jsnell7 hours ago|
parent|
[-]
Obviously no guarantees that it's exactly what was done in this case, but he talked about his general process recently at a conference and more in depth in a podcast:

https://www.youtube.com/watch?v=1sd26pWhfmg

https://securitycryptographywhatever.com/2026/03/25/ai-bug-f...

It pretty much is just "Claude find me an exploitable 0-day" in a loop.

reply
upvoteby xorgun10 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby bayindirh10 hours ago|
prev|
[-]
Yes, that claim needs a source.
reply