TL;DR
- Exploit Developed: Anthropic’s Claude AI autonomously wrote two working remote root exploits for a FreeBSD kernel vulnerability in roughly four hours of compute time.
- Vulnerability Details: CVE-2026-4747 is a stack buffer overflow in FreeBSD’s RPCSEC_GSS module, reachable over the network by any user with a valid Kerberos ticket.
- Patch Available: FreeBSD patched the vulnerability on March 26, 2026, with a single bounds check before the affected memory copy operation.
- Broader Implications: Researcher Nicholas Carlini has since used the same Claude-powered pipeline to generate 500 validated high-severity vulnerabilities across multiple codebases.
- Expert Warning: Security researchers warn that AI-driven exploit development is compressing the window between public vulnerability disclosure and working attacks from weeks to hours.
Anthropic’s Claude AI autonomously developed two working remote root exploits for a FreeBSD kernel vulnerability, each succeeding on its first attempt after roughly four hours of compute time. A technical write-up published April 1 revealed how researcher Nicholas Carlini stepped away from his keyboard and returned to find the AI had solved six distinct technical problems without human assistance. The resulting exploits can compromise any unpatched server in under a minute.
A stack buffer overflow tracked as CVE-2026-4747 in FreeBSD’s RPCSEC_GSS authentication module was patched on March 26. FreeBSD’s security advisory credits “Nicholas Carlini using Claude, Anthropic” for uncovering the flaw. While AI tools have found software bugs for years, autonomously writing a kernel-level remote code execution exploit with root shell access was considered beyond machine capability until now. Carlini, who works with Anthropic’s Frontier Red Team, has since used Claude to generate 500 validated high-severity vulnerabilities.
How Claude Built a Remote Root Shell
Inside svc_rpc_gss_validate(), FreeBSD copies an RPCSEC_GSS credential body into a 128-byte stack buffer without checking that the payload fits the 96 bytes of usable space after a 32-byte fixed header. Because the vulnerable kgssapi.ko module handles authentication for FreeBSD’s kernel-level NFS server, the flaw is reachable over the network via port 2049/TCP. Any user with a valid Kerberos ticket, even an unprivileged one, can trigger it.
Moreover, FreeBSD’s advisory notes that exploitation does not require the client to authenticate itself first, lowering the bar further. Enterprises running NFS servers with Kerberos infrastructure such as Active Directory or FreeIPA face direct exposure, and no workaround is available for systems with the module loaded.
Going from advisory to working root shell required Claude to solve six distinct technical problems autonomously. Claude devised a 15-round shellcode delivery strategy: round one makes kernel memory executable by calling vm_map_protect, 13 rounds write shellcode 32 bytes at a time into a known kernel BSS address, and the final round writes the last 16 bytes and jumps to the entry point. Each round kills one NFS worker thread via kthread_exit(), keeping the server alive between packets.
FreeBSD spawns eight NFS threads per CPU, so the exploit requires a machine with two or more CPU cores to survive all 15 rounds. Several missing kernel mitigations simplified the path. FreeBSD 14.x lacks KASLR, leaving the kernel base at a fixed, predictable address.
Furthermore, FreeBSD 14.x lacks stack canaries for integer arrays, and the overflowed buffer is typed as int32_t[]. Combined, these gaps gave Claude a clear route to control execution flow without defeating randomization or detection mechanisms that modern Linux and Windows kernels employ. On a fully hardened kernel, Claude would have needed to chain additional bypass techniques, adding complexity that could have exceeded the model’s capabilities.
When initial stack offsets proved wrong, Claude sent De Bruijn patterns, read kernel crash dumps, and corrected the return address offset from byte 168 to byte 200. After gaining kernel-mode execution at ring 0, Claude created a new process via kproc_create(), replaced it with /bin/sh using kern_execve(), and cleared the P_KPROC flag. Stale debug registers inherited from FreeBSD’s DDB debugger then crashed the child process, prompting Claude to add one more fix: clearing DR7 before forking.
After 15 RPCSEC_GSS overflow packets delivered over approximately 45 seconds, the exploit achieves root shell access. In a second variant, Claude wrote a public key to .ssh/authorized_keys instead of spawning a reverse shell, shortening the attack to six rounds. FreeBSD’s patch adds a single bounds check before the memcpy call.
In contrast to the sophistication of the attack, the fix required just one line of code. Fuzzers such as AFL and syzkaller have been uncovering kernel vulnerabilities for over a decade, but turning a raw advisory into a complete weaponized exploit was a task reserved for skilled human researchers until now. Written in Python using the gssapi module, Claude’s exploit represents a qualitative shift in what autonomous AI systems can accomplish in offensive security.
“Each new AI capability is usually met with ‘AI can do Y, but only humans can do X.’ Well, for X = exploit development, that line just moved.”
Calif.io researchers
Experts Warn of Offensive AI Arms Race
Carlini’s operation alarmed independent security researchers well beyond the FreeBSD case. His process involves a trivial bash script that loops over source files, asking Claude Code to find exploitable vulnerabilities. Beyond the kernel exploit, the pipeline has already produced a SQL injection vulnerability in Ghost CMS.
Building on this, security researcher Thomas Ptacek argued on his blog that the implications extend far past any single vulnerability. Ptacek noted that Carlini’s approach requires no specialized exploit development knowledge, just access to an AI model and a list of source code repositories.
“We’re living in the last fleeting moments where there’s any uncertainty that AI agents will supplant most human vulnerability research.”
Thomas Ptacek, security researcher
Meanwhile, at RSAC 2026, former Facebook CSO Alex Stamos warned that AI agents could soon reverse-engineer patches into working exploits within a day of release, coining the phrase “Patch Tuesday, exploit Wednesday.” According to Stamos, large foundation model companies are sitting on thousands of unverified bugs they lack the capacity to verify or patch. Separately, penetration testing firm Armadin reported finding RCE vulnerabilities or data leakage paths in every application it tested for a Fortune 150 client.
Ptacek’s and Stamos’s warnings converge on the same conclusion: when a bash script and an AI model can replicate work that previously required a team of specialized researchers working for weeks, the cost of generating exploits drops toward zero while the cost of defending against them remains high. That asymmetry favors attackers, who need only one working exploit, over defenders, who must patch every vulnerable system across their entire infrastructure.
Prior AI Vulnerability Discoveries
AI-assisted vulnerability research has been accelerating for years. In April 2024, a University of Illinois study showed GPT-4 could exploit known security flaws at high success rates. By October 2024, the Vulnhuntr tool was using Claude to uncover zero-day bugs in Python codebases.
The following month, Google’s Big Sleep agent found an exploitable bug in SQLite. In March 2026, AI security startup AISLE independently discovered all 12 zero-day vulnerabilities in OpenSSL’s January security patch. Claude’s FreeBSD kernel exploit marks a jump from application-level bugs to operating system internals, a materially harder category that demands deep kernel knowledge.
However, each step in this progression expanded what AI could target: from known vulnerabilities in web applications, to zero-days in widely used libraries, to kernel-level code running at the highest privilege level. Claude’s exploit did not just find a bug; it built the full attack chain from advisory to root shell, a capability that compounds the risk posed by each prior advance.
Stamos acknowledged that exploit finding has gone exponential but noted that automated shellcode generation bypassing modern processor protections is likely six months to a year away. FreeBSD’s missing KASLR and stack canaries made this particular target easier than hardened production systems, but the trajectory is clear.
Administrators running affected FreeBSD versions should apply patches immediately. Carlini’s 500-vulnerability pipeline signals that the window between public advisory and working exploit is shrinking from weeks to hours. For every enterprise security team still scheduling kernel patches on a monthly cycle, the calculus has changed.
