Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)
by ishqdehlvi on 4/1/2026, 5:21:48 AM
https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md
Comments
by: magicalhippo
Key point is that Claude did not <i>find</i> the bug it exploits. It was given the CVE writeup[1] and was asked to write a program that could exploit the bug.<p>That said, given how things are I wouldn't be surprised if you could let Claude or similar have a go at the source code of the kernel or core services, armed with some VMs for the try-fail iteration, and get it pumping out CVEs.<p>If not now, then surely not in a too distant future.<p>[1]: <a href="https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc" rel="nofollow">https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08...</a>
4/1/2026, 9:59:15 AM
by: ptx
> <i>It's worth noting that FreeBSD made this easier than it would be on a modern Linux kernel: FreeBSD 14.x has no KASLR (kernel addresses are fixed and predictable) and no stack canaries for integer arrays (the overflowed buffer is int32_t[]).</i><p>What about FreeBSD 15.x then? I didn't see anything in the release notes or the mitigations(7) man page about KASLR. Is it being worked on?<p>NetBSD apparently has it: <a href="https://wiki.netbsd.org/security/kaslr/" rel="nofollow">https://wiki.netbsd.org/security/kaslr/</a>
4/1/2026, 10:35:52 AM
by: panstromek
The talk "Black-Hat LLMs" just came out a few days ago:<p><a href="https://www.youtube.com/watch?v=1sd26pWhfmg" rel="nofollow">https://www.youtube.com/watch?v=1sd26pWhfmg</a><p>Looks like LLMs are getting good at finding and exploiting these.
4/1/2026, 10:07:45 AM
by: m132
Appreciate the full prompt history
4/1/2026, 10:03:59 AM
by: PunchyHamster
I'm just gonna assume it was asked to fix some bug and it wrote exploit instead
4/1/2026, 9:53:39 AM
by: fragmede
<a href="https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747" rel="nofollow">https://github.com/califio/publications/tree/main/MADBugs/CV...</a> would have been a better link
4/1/2026, 10:02:15 AM
by: Adam_cipher
[dead]
4/1/2026, 11:42:27 AM
by: rithdmc
Running into a meeting, so won't be able to review this for a while, but exciting. I wonder how much it cost in tokens, and what the prompt/validator/iteration loop looked like.
4/1/2026, 9:59:23 AM