RSS

Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More)

schmuhblaster1 pts0 comments

Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More) · Hey, it's Asim

&darr;<br>Skip to main content

Hey, it&rsquo;s Asim

Table of Contents

Table of Contents

TLDR: the grossly overengineered, self-orchestrating team of vulnerability-hunting agents detailed below has discovered 20+ CVEs over the past few months, including CVE-2026-31432 and CVE-2026-31433: two remote, unauthenticated OOB writes in the Linux kernel&rsquo;s ksmbd . Read on for the details of the setup that achieved this, including – yes! – getting LLMs drunk.

Background

&ldquo;LLMing&rdquo; vulnerability research has been on my &ldquo;Do Something About This&rdquo; list since DARPA&rsquo;s AIxCC and XBOW&rsquo;s initial results. But back in 2023-24, models required a lot of harnessing to get anything useful, tool use was rudimentary, and the idea of squeezing as much code as I could into a model&rsquo;s context – then triaging away the false positives – filled me with dread.

The push to actually do something came in the summer of 2025. Rich Mirch reported a dead-simple, unnoticed-for-12-years local privilege escalation in sudo: CVE-2025-32462. Contrary to the documentation, the --host flag did not just permit listing privileges on a different host – it made the hostname portion of sudo rules irrelevant. So, e.g., if a sudoers rule granted you root on somehost but not the local host, you could abuse the flag to get full root locally.

This LPE was not LLM-found (AFAICT), but it did make me wonder: what if instead of getting LLMs to drive various tools, we had them hunt for (stupid simple) mismatches between documentation and the actual code? It seemed like an easier lift for (local) LLMs in terms of context size, harnessing complexity, and intelligence required. These would not be the most technically exciting findings, but their practical effects would be just as serious: impact-wise, an LPE is an LPE!

By the end of 2025, I&rsquo;d begun working on a harness to do just this. But, to paraphrase Mike Tyson, everyone has a plan until a new model drops. Almost as soon as my harness was done, the models got good enough to greatly simplify the scaffolding required even for context-heavy external tool use. At this point, my quest fissioned into three :

Can we find the &ldquo;docs ↔ code mismatch&rdquo;-type vulnerabilities – the original goal, inspired by the finding above?

Given the step change in capabilities, what about vulnerabilities in general?

More speculatively, can we get a &ldquo;move 37&rdquo; out of LLMs to either a) find entirely novel bug classes, or at least b) unlock something in smaller models to enhance their hunting capabilities?

Findings

The answers were roughly &ldquo;yes,&rdquo; &ldquo;yes,&rdquo; and &ldquo;maybe.&rdquo; Below are 30+ findings (20+ CVEs assigned as of 2026-04-29, some not yet published) discovered fully autonomously via the custom harness. I prioritized network-reachable services first, given the impending avalanche:

Target<br>Issue<br>CVE #

Linux kernel (ksmbd)<br>Compound READ + QUERY_INFO(Security) requests can trigger a (remote, unauthenticated) out-of-bounds write in ksmbd<br>CVE-2026-31432, fix

Linux kernel (ksmbd)<br>Compound QUERY_DIRECTORY + QUERY_INFO(FILE_ALL_INFORMATION) requests can trigger a (remote, unauthenticated) out-of-bounds write in ksmbd<br>CVE-2026-31433, fix

Docker<br>PUT /containers/{id}/archive executes container binary on the host -> container-to-host-root breakout<br>CVE-2026-41567

Docker<br>Crafted Docker API requests can make AuthZ plugins see no request body, bypassing body-inspecting authorization policies<br>CVE-2026-34040

Docker<br>Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap<br>CVE-2026-41568

OpenSSL<br>CMS AuthEnvelopedData processing may accept forged messages<br>CVE-2026-34182

MariaDB<br>wsrep SST unsafe parameter handling on the donor side -> RCE on the donor host<br>CVE-2026-44168

CUPS<br>On network-exposed CUPS with a shared PostScript queue, unauthenticated Print-Job requests can reach arbitrary code execution over the network as lp<br>CVE-2026-34980

CUPS<br>An unprivileged local attacker can coerce cupsd into leaking a reusable local admin token, escalating to a rootful file (over)write<br>CVE-2026-34990

CUPS<br>RSS notify-recipient-uri path traversal lets a remote IPP client write RSS XML outside CacheDir/rss, including clobbering job.cache<br>CVE-2026-34978

HAProxy<br>Single-packet infinite-loop DoS (QUIC)<br>CVE-2026-26080

HAProxy<br>Single-packet DoS (QUIC)<br>CVE-2026-26081

Caddy<br>Large host lists make MatchHost case-sensitive, enabling host-based routing/access-control bypass<br>CVE-2026-27588

Caddy<br>%xx escaped-path matching skips case normalization, enabling path-based access-control bypass<br>CVE-2026-27587

Traefik<br>TCP readTimeout bypass in the Postgres STARTTLS handling path, allowing an unauthenticated connection-stalling denial of service<br>CVE-2026-25949

udisks<br>Missing authorization on LUKS header restore lets a local unprivileged user...

host ldquo rdquo llms remote rsquo

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.