AI Crosses the Exploit Frontier: Claude Develops Full FreeBSD Kernel RCE with Root Shell

AI Crosses the Exploit Frontier: Claude Develops Full FreeBSD Kernel RCE with Root Shell

For the first time, an AI model has autonomously written a working remote kernel exploit — compressing a process that once took specialist teams weeks into a matter of hours.

A vulnerability researcher at Anthropic has demonstrated that Claude, the company’s large language model, can take a published security advisory and autonomously produce a fully working remote kernel exploit — complete with root shell — in roughly four to eight hours of compute time. The target: CVE-2026-4747, a stack buffer overflow in FreeBSD’s kernel-level NFS authentication module.

The implications ripple well beyond FreeBSD. What was once considered the exclusive domain of elite human researchers — kernel-level exploit development involving ROP chain construction, shellcode staging, and operating-system internals — has now been demonstrated by a machine, guided by fewer than 50 conversational prompts.

The Vulnerability

Deep in FreeBSD’s kernel networking stack, the function svc_rpc_gss_validate() is responsible for verifying RPC credentials when a client connects to an NFS share using Kerberos-based RPCSEC_GSS authentication. The function allocates a fixed 128-byte stack buffer called rpchdr[] and copies the entire attacker-supplied credential body into it — without checking whether the payload fits.

Thirty-two bytes of that buffer are consumed by fixed RPC header fields, leaving only 96 bytes for credential data. Yet the XDR protocol layer permits credentials up to 400 bytes. The math is straightforward: an attacker can overflow the buffer by 304 bytes, overwriting the saved return address on the stack. Because this occurs in kernel context (ring 0) on an NFS worker thread, controlling the instruction pointer means arbitrary kernel code execution.

/* sys/rpc/rpcsec_gss/svc_rpcsec_gss.c — vulnerable path */
static bool_t
svc_rpc_gss_validate(struct svc_rpc_gss_state *gssp, struct rpc_msg *msg, ...)
{
    uint32_t  rpchdr[128 / sizeof(uint32_t)];  /* 128-byte stack buffer  */
    uint32_t *buf;

    buf = rpchdr;
    /* ... 32 bytes of fixed header written first ... */

    /* BUG: oa_length can be up to 400; no bounds check performed */
    bcopy(oa_base, buf, oa_length);   /* ← overflow here           */
}

Two factors made FreeBSD 14.x a relatively accessible target compared with a modern Linux kernel: the absence of Kernel Address Space Layout Randomization (KASLR) — meaning kernel symbol addresses are fixed and predictable across reboots — and the lack of stack canaries on integer arrays, the type used for the vulnerable buffer.

What Claude Actually Did

Researcher Nicholas Carlini, a member of Anthropic’s Frontier Red Team, presented Claude with the public FreeBSD security advisory as the sole starting point and guided the session through 44 prompts over approximately eight hours. The exploit that emerged was not a simple proof-of-concept crash; it delivered a functional reverse shell with root privileges across a network connection.

According to the published write-up, Claude solved six distinct engineering problems to bridge the gap from advisory to working root shell:

1. Lab provisioning. Claude configured a QEMU virtual machine running a vulnerable FreeBSD release with NFS, Kerberos, and the affected kernel module, and set up remote kernel debugging to capture crash dumps.
2. Offset discovery. By sending a De Bruijn cyclic pattern and reading the faulting register values from the kernel panic dump, Claude pinpointed the precise byte offset (200) at which the RIP register is overwritten.
3. ROP chain construction. With only a ~200-byte budget per overflow round (the 400-byte credential ceiling minus header fields), Claude located gadgets within the fixed-address kernel binary and composed a chain tight enough to fit the constraint.
4. Multi-round shellcode staging. The full 432-byte shellcode cannot be delivered in one packet. Claude devised a 15-round strategy: Round 1 uses pmap_change_prot() to mark kernel BSS memory executable; Rounds 2–14 each write 32 bytes of shellcode; Round 15 writes the final bytes and jumps to the entry point.
5. Kernel-to-userland transition. NFS worker threads cannot directly execute userland programs. Claude created a new process with kproc_create(), replaced it with /bin/sh via kern_execve(), and cleared the P_KPROC flag to allow the transition to user mode.
6. Debug register cleanup. The child shell process was crashing on a debug exception. Claude traced the fault to stale hardware debug registers inherited from DDB and resolved it by zeroing DR7 before forking.

The MAD Bugs Initiative

The FreeBSD exploit is the marquee result of MAD Bugs — Month of AI-Discovered Bugs — a research campaign run by security firm Calif through April 2026. Using the same Claude-powered pipeline, the initiative has already identified over 500 validated high-severity zero-day vulnerabilities across production open-source codebases, including remote code execution flaws in Vim (CVE-2026-34714, CVSS 9.2, patched in version 9.2.0272), Firefox, and GNU Emacs.

The Emacs maintainers notably declined to patch their reported vulnerability, leaving users exposed indefinitely.

A Shift in the Threat Landscape

Security researchers have long drawn a meaningful line between vulnerability discovery — finding a bug — and vulnerability exploitation — building a reliable attack chain. Automated fuzzers like AFL and syzkaller have found kernel bugs for over a decade. Writing a working kernel exploit, however, requires a different order of skill: understanding OS internals deeply, constructing ROP chains within tight byte budgets, managing multi-stage shellcode delivery, debugging panics, and improvising when the environment behaves unexpectedly. That work has consistently required human expertise.

The FreeBSD result suggests the line has moved. Claude’s exploit did not simply find a bug; it built the complete attack chain from advisory to root shell. Each prior advance in AI-assisted security — application-level bugs, library zero-days — expanded what machines could target. Kernel-level RCE represents a materially harder category, and its crossing compounds the risk from every prior step.

The Dual-Use Dilemma

The same capability that enables a small research team to discover and responsibly disclose hundreds of critical vulnerabilities is, in theory, accessible to malicious actors. The cost of generating exploits trends toward zero; the cost of defending every surface of a complex infrastructure does not. That asymmetry has always favored attackers — AI may now sharpen it significantly.

At RSAC 2026, security researchers converged on a sobering conclusion: foundation model companies, including Anthropic, are sitting on large inventories of unverified vulnerabilities that were produced faster than they can be patched or disclosed to vendors. Managing that backlog responsibly — coordinating with maintainers, respecting embargo periods, and handling cases like the Emacs non-patch — is an unsolved operational problem at scale.

Stamos acknowledged that fully automated shellcode generation capable of bypassing modern processor-level protections — such as those present on Linux with KASLR and stack canaries — is likely still six months to a year away. For now, the absence of those mitigations on FreeBSD 14.x provided a cleaner proving ground. The question researchers are now asking is not whether AI will cross that harder line, but when.

The full technical write-up, exploit source code, and prompt log have been published by Calif at github.com/califio/publications. FreeBSD security patches are available through the official freebsd-update channel and the FreeBSD Security Advisories page.