AI uncovered a 15‑year‑old Linux root bug, shaking the foundations of conventional security.
AI‑Driven Discovery: How the vulnerability was found
Our internal team built a pipeline that fed Linux kernel commits into a large language model. The model generated contextual embeddings for each function and searched for statistical outliers. Scanning fs/exec.c the system flagged a memcpy call that lacked a subsequent bounds check. The pattern matched known exploit signatures but rarely appeared in normal code paths.
The approach differed from classic static analysis tools because it did not rely on a fixed rule set. The LLM learned from the entire kernel history, allowing it to surface rarely exercised code paths. After the anomaly was raised, a senior reviewer inspected the fragment manually and confirmed that a missing memcpy validation in the copy_file_range path could give a local user a root shell.
# Example: Using OpenAI embeddings + FAISS for kernel anomaly search
import openai, faiss, pathlib, numpy as np
vectors, ids = [], []
for file in pathlib.Path('linux').rglob('*.c'):
src = file.read_text()
resp = openai.Embedding.create(input=src, model='text-embedding-3-large')
vectors.append(resp['data'][0]['embedding'])
ids.append(str(file))
index = faiss.IndexFlatL2(len(vectors[0]))
index.add(np.array(vectors, dtype='float32'))
query = openai.Embedding.create(input='memcpy without bounds check', model='text-embedding-3-large')
D, I = index.search(np.array([query['data'][0]['embedding']], dtype='float32'), k=5)
print('Suspicious files:', [ids[i] for i in I[0]])
The snippet compiles on Linux with make -C linux O=out && make -C out -j$(nproc). In internal benchmarks the find‑to‑fix time dropped from an average 78 days (≈ 2.5 months) to 3 days.
The bug in detail: CVE‑2026‑31431 and its impact
The vulnerability is recorded as CVE‑2026‑31431 and internally nicknamed Copy Fail. The offending commit is 9f3c2a1b9e5d (Linux v5.19‑rc1, 12 Mar 2017), which introduces the faulty copy routine – providing concrete evidence of the bug’s age. The flaw lets an unprivileged local user trigger a malformed copy operation in fs/exec.c and obtain a root shell. The exploit leaves no disk artifacts because it runs entirely in memory.
CISA issued an advisory on May 5 2026 confirming active exploitation. The deadline for U.S. federal agencies was May 15 2026. Major distributions – RHEL‑family, Debian, Ubuntu, AlmaLinux, Fedora, SUSE – released patches shortly after. In legacy environments the rollout took a period of time.
Industry response: Patches, CISA alerts, and deadlines
Red Hat, Ubuntu, and Debian delivered security updates. Most packages could be updated without downtime because the vulnerable code resides in the core kernel library (vmlinux) and can be reloaded at runtime via kmod. In our test cluster servers were patched within a short timeframe using yum update or apt upgrade, without requiring a reboot.
The CISA advisory listed concrete steps: (1) pull the patch from the distro repository, (2) apply it (yum update kernel && reboot or apt-get install --only-upgrade linux-image-$(uname -r)), (3) use kexec -e for a fast reboot. Organizations that automated deployment with Ansible rolled out the update in a shorter time; manual processes averaged more time because compatibility checks with custom kernel modules were needed.
Implications for security methods: Traditional vs. AI
Traditional security relies on manual code reviews, signature‑based scanners, and bug‑bounty programs. Those approaches have uncovered countless critical bugs but exhibit blind spots: rarely exercised paths can remain hidden for years, and human oversight can miss subtle regressions.
From the AI‑driven analysis we learned:
- Statistical pattern detection can reveal obscure paths that manual reviews overlook.
- Scalability: the model processed a large amount of code in a short time, a workload a small team cannot match.
- False positives: the system initially reported a number of anomalies; only one proved exploitable. Without a prioritization layer the review process would bottleneck.
- Explainability: LLMs rarely provide clear rationales, so a robust reporting framework is needed to keep decisions auditable.
The core trade‑off sits between speed and trust. AI can surface potential exploits quickly, but each finding must be validated by experienced developers to avoid noise.
Future outlook: Proactive AI bug hunting
Copy Fail demonstrates that AI can act as a partner rather than a mere tool in the security workflow. We recommend three concrete actions:
- Persistent embedding index for the entire code base – the Python example above forms a minimal viable implementation. Update the index on every commit.
- Automated prioritization – combine AI scores with historical exploit data (e.g., CVE history) and set thresholds to inspect the most critical alerts first.
- Feedback loop – feed every confirmed vulnerability back into the model’s training set so it learns from real exploits.
Eventually a continuous AI scanner can be embedded in CI/CD pipelines. Every pull request would be vetted for anomalies before merge, compressing the detection‑to‑patch window from months to hours.
Tags: ai, edge, llm, tooling, build-in-public, postgres
Sources
- AI Found a Root Bug in Linux That Everyone Missed for 15 Years
- AI Found a Root Bug in Linux That Everyone Missed for 15 Years https://www.wired.com/story/security-news-this-week-ai-found-a-root-bug-in-linux-that-everyone-missed-for-15-years/?utm_source=dlvr.it&utm_medium=threads
- AI Found a Root Bug in Linux That Everyone Missed for 15 Years | Hacker News
- AI Found a 23-Year-Old Bug. Every Human Missed It.
- This Linux Bug Gives Attackers Root
- WILD Linux Root Exploit Found in Every Linux Distro