Claude Code Finds 23-Year-Old Linux Kernel Vulnerability -- And the Agent Security Stack Takes Shape

The Hook

A coding agent just found a 23-year-old remotely exploitable vulnerability in the Linux kernel that no human ever caught. Meanwhile, NVIDIA shipped an open-source runtime for securing autonomous agents in production, and a viral essay hit 898 HN points arguing the real danger is not AI replacing us – it is the comfortable drift toward not understanding what we are doing. The agents are getting better. The question is whether the operators keep up.

This Week’s Signal

Claude Code Discovers a 23-Year-Old Linux Kernel Vulnerability

Nicholas Carlini, a research scientist at Anthropic, revealed at the [un]prompted AI security conference that he used Claude Code to find multiple remotely exploitable heap buffer overflows in the Linux kernel – including one in the NFS driver that had been hiding since March 2003.

The method was almost insultingly simple. Carlini wrote a script that iterates over every source file in the kernel and tells Claude Code to look for vulnerabilities in each one. No special tooling. No custom fuzzer. Just a coding agent, a CTF-style prompt, and the raw source.

The NFS bug is technically sophisticated: it requires two cooperating NFS clients to trigger a heap overflow where a 1024-byte owner ID gets written into a 112-byte replay cache buffer. Claude Code not only found the bug but produced ASCII protocol diagrams documenting the exact attack sequence. Five confirmed vulnerabilities have been reported to kernel maintainers so far, with hundreds more unvalidated crashes queued behind the human review bottleneck.

The implications for security practitioners are immediate. Carlini has more bugs than he can report because manual validation cannot keep pace. The attack surface is not growing – it has always been there. What changed is the cost of scanning it. Every codebase older than a decade is now a candidate for agent-driven audit. The first movers will be defenders. The fast followers will be attackers.

3 Operator Playbooks

1. NVIDIA Ships OpenShell: An Open-Source Runtime for Securing Autonomous Agents

NVIDIA announced Agent Toolkit at GTC 2026, anchored by OpenShell – an open-source runtime that enforces policy-based security, network, and privacy guardrails for autonomous agents. The AI-Q blueprint uses a hybrid architecture with frontier models for orchestration and Nemotron open models for research, cutting query costs by more than 50% while topping both DeepResearch Bench leaderboards. Seventeen enterprise platforms – Adobe, Salesforce, SAP, CrowdStrike, Cisco, Atlassian, and eleven others – committed to building on it.

Your move: If you are deploying agents that take actions (not just chat), OpenShell is the first credible open-source security runtime. Evaluate it as your guardrail layer. The partner list signals where enterprise agent standards will converge.

2. Caveman Mode Cuts Agent Output Tokens by 65% With Zero Accuracy Loss

A new open-source Claude Code skill called “Caveman” forces the model to strip filler, hedging, and pleasantries from its output – reducing tokens by 65% on average and up to 87% on explanation tasks. Benchmarks show full technical accuracy is preserved. The project cites a March 2026 arXiv paper demonstrating that brevity constraints can actually improve LLM accuracy by 26 percentage points on certain benchmarks.

Your move: Install Caveman (npx skills add JuliusBrussee/caveman) on any coding agent you run. At scale, 65% fewer output tokens translates directly to faster response times and lower API costs. The deeper insight: verbose output is not just wasteful – it may be actively degrading model performance.

3. Self-Distillation Improves Code Generation by 30% – No Teacher Required

A new paper shows that sampling a model’s own outputs and fine-tuning on them (no verifier, no teacher, no RL) improves Qwen3-30B from 42.4% to 55.3% pass@1 on LiveCodeBench v6. The method, called Simple Self-Distillation (SSD), works across Qwen and Llama families at 4B, 8B, and 30B scale. Gains concentrate on harder problems and generalize to both instruct and thinking model variants.

Your move: If you fine-tune open-weight models for coding tasks, SSD is a free lunch. Sample your model, filter nothing, fine-tune on the samples. The paper shows this reshapes token distributions in a context-dependent way – suppressing distractors where precision matters while preserving diversity where exploration matters.

Steal This

Agent Security Audit Prompt – Point Any Coding Agent at Legacy Code

Carlini’s approach, simplified for your own repos:

find . -type f -name "*.c" -print0 | while IFS= read -r -d '' file; do
  your-agent-cli \
    --print "You are a security researcher performing a code audit.
    Focus on: buffer overflows, integer overflows, use-after-free,
    race conditions, and unchecked bounds.
    Analyze this file: $file
    Write findings with severity rating to /out/audit-$(basename $file).txt"
done

Adapt the file extensions and vulnerability classes to your stack. The key insight: iterating file-by-file forces the agent to focus deeply rather than skimming the entire codebase at once.

The Bottom Line

The week’s signal is clear: agents are crossing from generation into action at production scale. A coding agent found kernel bugs that survived 23 years of human review. NVIDIA convinced 17 enterprise platforms to standardize on a shared agent security runtime. A one-line plugin cuts agent costs by two-thirds. And a 900-point HN essay reminded us that the real risk is not the machines – it is humans who stop understanding what the machines are doing. The practitioners who treat agents as auditable, constrained tools will outperform those who treat them as magic. Build the guardrails. Read the output. Stay sharp.

AI Agent Insider is published by Digital Forge Studios Inc.