AI Finds Over 500 Zero-Day Bugs in Open Source Software

Anthropic's AI model Claude discovered over 500 high-severity zero-day vulnerabilities in widely used open-source software, including critical remote code execution flaws in Vim, Emacs, and FreeBSD. The AI was able to write a working exploit for a FreeBSD kernel vulnerability in just 8 hours.

Details

Anthropic's AI model Claude, the same one that refused to help build autonomous weapons, spent several weeks hunting for bugs in widely used open-source software. The initiative, called MAD Bugs (Month of AI-Discovered Bugs), has so far uncovered over 500 high-severity zero-day vulnerabilities. This includes critical remote code execution flaws in popular tools like Vim, GNU Emacs, and the FreeBSD operating system. The most alarming finding was a remote kernel code execution vulnerability in FreeBSD, for which Claude was able to write a working exploit in just 8 hours - a task that traditionally requires significant security expertise and weeks of effort. The Vim and Emacs vulnerabilities are also concerning, as they can be triggered simply by opening a malicious file. While Mozilla worked with Anthropic to quickly patch the issues in Firefox, most open-source projects lack the resources to keep up with the pace of AI-discovered vulnerabilities. This raises the risk of these flaws being exploited by bad actors before they can be fixed.