logoalt Hacker News

Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

105 pointsby ishqdehlvitoday at 5:21 AM36 commentsview on HN

Comments

magicalhippotoday at 9:59 AM

Key point is that Claude did not find the bug it exploits. It was given the CVE writeup[1] and was asked to write a program that could exploit the bug.

That said, given how things are I wouldn't be surprised if you could let Claude or similar have a go at the source code of the kernel or core services, armed with some VMs for the try-fail iteration, and get it pumping out CVEs.

If not now, then surely not in a too distant future.

[1]: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08...

show 4 replies
ptxtoday at 10:35 AM

> It's worth noting that FreeBSD made this easier than it would be on a modern Linux kernel: FreeBSD 14.x has no KASLR (kernel addresses are fixed and predictable) and no stack canaries for integer arrays (the overflowed buffer is int32_t[]).

What about FreeBSD 15.x then? I didn't see anything in the release notes or the mitigations(7) man page about KASLR. Is it being worked on?

NetBSD apparently has it: https://wiki.netbsd.org/security/kaslr/

show 1 reply
panstromektoday at 10:07 AM

The talk "Black-Hat LLMs" just came out a few days ago:

https://www.youtube.com/watch?v=1sd26pWhfmg

Looks like LLMs are getting good at finding and exploiting these.

show 1 reply
sheepscreektoday at 12:10 PM

I find it more concerning that this is still considered newsworthy. Frontier LLMs in the hands of anyone willing to learn and determined can be a blessing or curse.

dheerajmptoday at 12:19 PM

You do not need Claude for finding FreeBSD vulns. Just plain eyes. Pick a file you can find one.

m132today at 10:03 AM

Appreciate the full prompt history

show 2 replies
jeremie_strandtoday at 12:34 PM

[dead]

alcor-ztoday at 1:07 PM

The MADBugs work is solid, but what's sticking with me is the autonomy angle — not just finding a vuln but chaining multiple bugs into a working remote exploit without a human in the loop. FreeBSD kernel security research has always been thinner on the ground than Linux, which makes this feel both more impressive and harder to put in context. What's the actual blast radius here — is this realistically exploitable on anything with default configs, or does it need very specific conditions?

show 1 reply
volume_techtoday at 1:15 PM

[dead]

Adam_ciphertoday at 11:42 AM

[dead]

bustahtoday at 12:48 PM

[dead]

show 1 reply
PunchyHamstertoday at 9:53 AM

I'm just gonna assume it was asked to fix some bug and it wrote exploit instead

show 1 reply
rithdmctoday at 9:59 AM

Running into a meeting, so won't be able to review this for a while, but exciting. I wonder how much it cost in tokens, and what the prompt/validator/iteration loop looked like.