LLM-accelerated vuln disclosure crisis
Linux kernel adopts no-embargo policy as LLMs flood maintainers with CVEs Lund Linux ConferenceTL;DW
- LLM-discovered vulnerabilities in Linux kernel cannot be embargoed since anyone can trivially rediscover them, forcing immediate public disclosure.
- Fedora kernel maintainer expects at least one important kernel update weekly due to FKB (fragment buffer) API misuse causing exploitable network stack vulnerabilities.
- Linux upstream community merged rules: no embargo period for LLM-found bugs, making vulnerability disclosure immediate and uncontrolled.
- FKB copy-on-write bugs in sendfile implementation enable dirty page attacks; widespread misuse across kernel codebase creates cascade of CVEs.
- Kernel maintainers focusing only on actively exploitable CVEs with proof-of-concept rather than preventative security work due to flood of discoveries.
- Old unmaintained protocols (ISDN removed, others deprecated) turned out to have numerous vulnerabilities; removal reduces attack surface as liability cuts across subsystems.
- Proprietary code faces greater risk than open source since LLM analysis works on compiled machine code without source access.
- SELinux and LSM policies can mitigate exploits by blocking vulnerable socket families or functions without kernel reboot via small BPF programs.
- Long-term benefit: continuous LLM scanning may eventually reach equilibrium where code has minimal CVEs, forcing better security practices industry-wide.
- State actors likely already possessed vulnerability discovery capabilities; LLMs make the vulnerability flood visible and public rather than creating new risk.
TL;DW
- LLM-discovered vulnerabilities in Linux kernel cannot be embargoed since anyone can trivially rediscover them, forcing immediate public disclosure.
- Fedora kernel maintainer expects at least one important kernel update weekly due to FKB (fragment buffer) API misuse causing exploitable network stack vulnerabilities.
- Linux upstream community merged rules: no embargo period for LLM-found bugs, making vulnerability disclosure immediate and uncontrolled.
- FKB copy-on-write bugs in sendfile implementation enable dirty page attacks; widespread misuse across kernel codebase creates cascade of CVEs.
- Kernel maintainers focusing only on actively exploitable CVEs with proof-of-concept rather than preventative security work due to flood of discoveries.
- Old unmaintained protocols (ISDN removed, others deprecated) turned out to have numerous vulnerabilities; removal reduces attack surface as liability cuts across subsystems.
- Proprietary code faces greater risk than open source since LLM analysis works on compiled machine code without source access.
- SELinux and LSM policies can mitigate exploits by blocking vulnerable socket families or functions without kernel reboot via small BPF programs.
- Long-term benefit: continuous LLM scanning may eventually reach equilibrium where code has minimal CVEs, forcing better security practices industry-wide.
- State actors likely already possessed vulnerability discovery capabilities; LLMs make the vulnerability flood visible and public rather than creating new risk.
LLM-based tools are rediscovering kernel vulnerabilities faster than patches ship, triggering weekly Fedora releases and an explosion of CVEs concentrated in SKB API misuse and copy-on-write handling. The talk covers mitigation approaches including dead code removal, stricter SELinux policies, LSM hooks, and BPF-based lockdowns.
