For 23 years, a critical security flaw sat silently inside one of the most scrutinized codebases on the planet. Thousands of professional security researchers, years of automated fuzzing campaigns, and countless static analysis tools all failed to find it. Then, an AI assistant discovered it in a matter of hours.

The vulnerability, now catalogued as CVE-2026-31402, is a heap buffer overflow in the Linux kernel’s NFSv4.0 LOCK replay cache — a component of the Network File System (NFS) driver that has been present since 2003. The discovery was made by Nicholas Carlini, a research scientist at Anthropic, using Claude Code powered by Claude Opus 4.6. He reported his findings at the [un]prompted AI security conference earlier this month.

“We now have a number of remotely exploitable heap buffer overflows in the Linux kernel. I have never found one of these in my life before. This is very, very, very hard to do. With these language models, I have a bunch.”

— Nicholas Carlini, Research Scientist, Anthropic

What Is the Vulnerability?

The flaw resides in how the NFSv4.0 server handles its LOCK reply cache. The replay cache uses a fixed 112-byte inline buffer — rp_ibuf[NFSD4_REPLAY_ISIZE] — to store encoded operation responses. This buffer size was originally calculated based on OPEN responses and does not account for LOCK denied responses, which include a conflicting lock owner field that can be up to 1,024 bytes in length.

When a LOCK operation is denied because of a conflict with a large owner string, the kernel copies the full encoded response into the undersized replay buffer with no bounds check. The result is a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.

▸ Vulnerability At a Glance
  • CVE ID CVE-2026-31402
  • Type Heap Buffer Overflow (slab-out-of-bounds write)
  • Component Linux Kernel — NFSv4.0 LOCK Replay Cache
  • Age Present in kernel since 2003 (23 years)
  • Impact Remote memory corruption; sensitive kernel memory exposure
  • Trigger Two cooperating NFSv4.0 clients; no authentication required
  • Discovered by Nicholas Carlini (Anthropic) using Claude Opus 4.6
  • Status Patch available — update to latest patched kernel

The attack can be triggered remotely by an unauthenticated attacker using two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then a second client requests a conflicting lock. No special credentials are required to exploit the vulnerability.

How Claude Found What Others Missed

The method Carlini used was deceptively simple. He pointed Claude Code at the Linux kernel source code and asked it to identify security vulnerabilities. What followed demonstrated a capability gap between AI-assisted and traditional security research that the industry is only beginning to grapple with.

Unlike traditional static analysis tools that scan for known bad patterns in isolation, Claude’s approach involves cross-component data flow tracing — following untrusted input across multiple files and subsystems to dangerous operations. This is precisely the kind of reasoning that makes subtle heap overflow bugs so difficult to detect with conventional tooling.

“Where Claude really separates from traditional static analysis is cross-component tracing. It follows data flow from untrusted input to dangerous operations across multiple files.”

— Anthropic Research Report, February 2026

NFS is core networking infrastructure deployed on millions of servers worldwide. The fact that such a flaw survived for two decades — through audits, kernel releases, and security reviews — underscores the scale of what AI-assisted vulnerability research has now made possible.

The Bigger Picture: 500+ Vulnerabilities Found

CVE-2026-31402 was not an isolated find. Carlini’s research, published in Anthropic’s paper “Evaluating and mitigating the growing risk of LLM-discovered 0-days” (February 2026), revealed that Claude Opus 4.6 discovered over 500 validated high-severity vulnerabilities across major open-source codebases.

February 2026

Anthropic publishes research paper on LLM-driven vulnerability discovery. Claude Opus 4.6 finds 500+ high-severity bugs across open-source projects.

Early 2026

Claude finds 22 vulnerabilities in Firefox over two weeks in collaboration with Mozilla. One flagged within 20 minutes of being pointed at the codebase.

2026 (FreeBSD)

Claude discovers CVE-2026-4747, a stack buffer overflow in FreeBSD’s RPCSEC_GSS (Kerberos/NFS) module. Claude autonomously writes two working remote root exploits — each succeeding on first attempt — in approximately four hours.

April 2026

CVE-2026-31402 publicly disclosed. Carlini presents findings at the [un]prompted AI security conference. Linux kernel maintainers issue patch.

Notably, Carlini attempted to reproduce his results using older models — Opus 4.1 and Sonnet 4.5 — and found they could identify only a small fraction of what Opus 4.6 discovered. This suggests the capability is not simply “AI can find bugs” but that it represents a sharp, recent inflection in model capability.

A Double-Edged Sword: Defense vs. Offense

The same AI capabilities that empower defenders can be turned against them. The cybersecurity community is beginning to confront an uncomfortable reality: the techniques Anthropic’s research team used responsibly are equally available to attackers with less scrupulous intentions.

🛡 AI as Defender

  • Scans millions of lines of code at scale
  • Cross-component data flow analysis
  • Finds bugs missed by humans for decades
  • Accelerates responsible disclosure
  • Enables small teams to audit large codebases
  • Real-time threat detection in networks

⚔ AI as Attacker

  • Autonomous exploit development
  • Drops skill barrier for attackers
  • Can weaponize bugs faster than patches deploy
  • Generates phishing emails and malware at scale
  • Requires only an API key and a bash script
  • May outpace 90-day disclosure windows

Anthropic’s research paper explicitly warns that LLM-driven vulnerability discovery may already be outpacing the security community’s ability to respond. The traditional 90-day disclosure window — the industry standard for allowing vendors time to patch before public disclosure — may not survive the era of AI-assisted vulnerability research.

What Should System Administrators Do Now?

All systems running NFS services are potentially exposed to CVE-2026-31402. The Linux kernel maintainers have issued a fix that adds a bounds check before copying into the replay buffer: if the encoded response exceeds NFSD4_REPLAY_ISIZE, the buffer size is set to zero to skip caching the replay payload, while still preserving the response status for the client.

Recommended actions:

  • Update all Linux systems running NFS services to the latest patched kernel immediately.
  • Review NFS exposure — restrict NFS access to trusted networks where possible.
  • Monitor for anomalous NFSv4.0 LOCK request patterns as an indicator of exploitation attempts.
  • Subscribe to kernel security advisories from your Linux distribution vendor (Red Hat, Ubuntu, Debian, etc.).
✦   ✦   ✦

Looking Ahead

The discovery of CVE-2026-31402 is more than a single security bulletin. It marks a turning point in the relationship between artificial intelligence and cybersecurity. AI is no longer merely a tool that assists security researchers — it is becoming a primary engine of vulnerability discovery, operating at a speed and scale that fundamentally reshapes the threat landscape.

For defenders, this is cause for both optimism and urgency. The same force that found a 23-year-old kernel bug in hours can be deployed to protect infrastructure at unprecedented scale. But it demands immediate investment in AI-augmented security practices, faster patching pipelines, and a rethinking of disclosure norms that were designed for a slower era.

The barrier to large-scale vulnerability hunting has dropped from requiring a well-funded security team to requiring an API key and a basic script. The organizations that recognize and adapt to this reality first will define the next chapter of cybersecurity.

This article is based on publicly disclosed CVE records, Anthropic’s published research, and verified reporting from security outlets including Ubuntu Security, Tenable, and mtlynch.io. The vulnerability has been patched; system administrators are advised to apply updates promptly.