By using OpenAI's o3 artificial intelligence model, a security researcher has discovered a previously unknown remote zero-day vulnerability in the Linux kernel's SMB implementation.
The vulnerability, designated CVE-2025-37899, represents a significant milestone as potentially the first publicly documented case of an AI system independently finding such a critical security flaw.
The vulnerability discovered by Sean Heelan, exists within ksmbd, Linux's kernel-space SMB3 protocol implementation used for network file sharing. Heelan discovered the flaw while benchmarking o3's capabilities against known vulnerabilities in the same codebase.
The AI model identified a use-after-free condition in the SMB 'logoff' command handler that could allow remote attackers to achieve arbitrary code execution with kernel privileges.
Understanding this vulnerability requires grasping how concurrent connections interact within the system. When multiple connections bind to the same session, one thread can free a critical user structure while another thread continues accessing it, creating a dangerous race condition.
As Heelan's analysis reveals, "the SMB protocol allows two different connections to 'bind' to the same session and there is nothing on the kerberos authentication path to prevent another thread making use of sess->user in the short window after it has been freed."
The discovery process involved feeding approximately 12,000 lines of code (~100k input tokens) to o3, encompassing all SMB command handlers. While the AI model's success rate included false positives, it successfully identified the vulnerability in multiple test runs, demonstrating unprecedented capability in automated vulnerability detection.
This breakthrough suggests a fundamental shift in cybersecurity research methodology. Heelan notes that "LLMs exist at a point in the capability space of program analysis techniques that is far closer to humans than anything else we have seen."