LLM-accelerated vuln disclosure crisis

Linux kernel adopts no-embargo policy as LLMs flood maintainers with CVEs Lund Linux Conference
TL;DW
  • LLM-discovered vulnerabilities in Linux kernel cannot be embargoed since anyone can trivially rediscover them, forcing immediate public disclosure.
  • Fedora kernel maintainer expects at least one important kernel update weekly due to FKB (fragment buffer) API misuse causing exploitable network stack vulnerabilities.
  • Linux upstream community merged rules: no embargo period for LLM-found bugs, making vulnerability disclosure immediate and uncontrolled.
  • FKB copy-on-write bugs in sendfile implementation enable dirty page attacks; widespread misuse across kernel codebase creates cascade of CVEs.
  • Kernel maintainers focusing only on actively exploitable CVEs with proof-of-concept rather than preventative security work due to flood of discoveries.
  • Old unmaintained protocols (ISDN removed, others deprecated) turned out to have numerous vulnerabilities; removal reduces attack surface as liability cuts across subsystems.
  • Proprietary code faces greater risk than open source since LLM analysis works on compiled machine code without source access.
  • SELinux and LSM policies can mitigate exploits by blocking vulnerable socket families or functions without kernel reboot via small BPF programs.
  • Long-term benefit: continuous LLM scanning may eventually reach equilibrium where code has minimal CVEs, forcing better security practices industry-wide.
  • State actors likely already possessed vulnerability discovery capabilities; LLMs make the vulnerability flood visible and public rather than creating new risk.

LLM-based tools are rediscovering kernel vulnerabilities faster than patches ship, triggering weekly Fedora releases and an explosion of CVEs concentrated in SKB API misuse and copy-on-write handling. The talk covers mitigation approaches including dead code removal, stricter SELinux policies, LSM hooks, and BPF-based lockdowns.