How I used o3 to find a remote 0-day vulnerability in the Linux kernel (ksmbd)

https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/

17•seanheelan•8mo ago

Comments

sebstefan•8mo ago

We're approaching convincing David Gerard from last week

> I'll be convinced when LLMs start making valuable pull requests, non-obvious corner cases or non-trivial bugs in mature FOSS projects

https://pivot-to-ai.com/2025/05/13/if-ai-is-so-good-at-codin...

uskasagh•8mo ago

Doubtful.

Based on the linked article I think Gerard would balk at this post, consider the content the exact kind of contribution that people would hate to deal with , and the headline “ceo weasel wording”.

sebstefan•8mo ago

I wrote to him as a comment under his post

> sebstefan: There’s this one from yesterday

>https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-...

> David Gerard: > My experiment harness executes this N times (N=100 for this particular experiement) and saves the results

> That’s just fuzzing but vastly less efficient?

> Also, that’s not the question being asked, is it. It wasn’t “did someone use an AI for anything in open source.”

I'll try to explain it to him but the guy seems pretty full of shit already

cadamsdotcom•8mo ago

Love the rigor of running an experiment many times to see how often it got the desired outcome. Most people would just fire off a prompt and be disappointed if the model didn’t find the bug!

Seems a clever technique for anything that needs strong defense against hallucination. Kind of an “average across runs”. Manually auditing results isn’t very scalable (cf. the author says they missed that the LLM caught the second half of the bug in some runs but they missed that detail). In future an LLM could do that bit too so the technique becomes scalable. One can imagine being given a meta-report of what’s in all the reports produced by the runs.

The purpose of Continuous Integration is to fail

Apfelstrudel: Live coding music environment with AI agent chat

What Is Stoicism?

What happens when a neighborhood is built around a farm

Every major galaxy is speeding away from the Milky Way, except one

Extreme Inequality Presages the Revolt Against It

There's no such thing as "tech" (Ten years later)

What Really Killed Flash Player: A Six-Year Campaign of Deliberate Platform Work

Ask HN: Anyone orchestrating multiple AI coding agents in parallel?

Show HN: Knowledge-Bank

Show HN: The Codeverse Hub Linux

Take a trip to Japan's Dododo Land, the most irritating place on Earth

British drivers over 70 to face eye tests every three years

BookTalk: A Reading Companion That Captures Your Voice

Is AI "good" yet? – tracking HN's sentiment on AI coding

Show HN: Amdb – Tree-sitter based memory for AI agents (Rust)

OpenClaw Partners with VirusTotal for Skill Security

Show HN: Seedance 2.0 Release

Leisure Suit Larry's Al Lowe on model trains, funny deaths and Disney

Towards Self-Driving Codebases

VCF West: Whirlwind Software Restoration – Guy Fedorkow [video]

Show HN: COGext – A minimalist, open-source system monitor for Chrome (<550KB)

FOSDEM 26 – My Hallway Track Takeaways

Show HN: Env-shelf – Open-source desktop app to manage .env files

Show HN: Almostnode – Run Node.js, Next.js, and Express in the Browser

Dell support (and hardware) is so bad, I almost sued them

Project Pterodactyl: Incremental Architecture

Styling: Search-Text and Other Highlight-Y Pseudo-Elements

Crypto firm accidentally sends $40B in Bitcoin to users

Magnetic fields can change carbon diffusion in steel