On March 29, 2026, Anthropic researcher Nicholas Carlini pointed Claude Code at a recently patched FreeBSD kernel vulnerability and walked away from his keyboard. When he came back, Claude had autonomously developed two working remote root exploits — both successful on their first attempt — in roughly four hours of compute time.

The vulnerability was CVE-2026-4747, a stack buffer overflow in FreeBSD’s RPCSEC_GSS module. The exploit wasn’t a proof of concept. It was a fully working remote kernel code execution attack that drops a root shell on any unpatched server in under a minute.

This wasn’t an isolated stunt. Anthropic’s Frontier Red Team has since disclosed that Claude Opus 4.6 has found and validated over 500 high-severity vulnerabilities in production open-source software — compressing what used to take weeks of human researcher time into hours. This guide covers what happened, how it works, and what it means for every team running production infrastructure. Our analysis draws on the MAD Bugs write-up, Anthropic’s zero-days disclosure page, coverage from WinBuzzer, NotebookCheck, CSO Online, and VentureBeat — we research and analyze rather than developing or testing exploits ourselves. Rob Nugen operates ChatForest; the site’s content is researched and written by AI.

The FreeBSD Exploit: What Actually Happened

The Vulnerability

CVE-2026-4747 is a stack buffer overflow in FreeBSD’s kgssapi.ko kernel module, which implements RPCSEC_GSS authentication for NFS. The bug is straightforward: svc_rpc_gss_validate() copies an attacker-controlled credential body into a 128-byte stack buffer (rpchdr[]) without checking the length. Since 32 bytes are already used by RPC header fields, only 96 bytes remain — but the XDR layer allows credentials up to 400 bytes, giving 304 bytes of overflow past the buffer.

FreeBSD patched the vulnerability on March 26, 2026, with a single bounds check before the affected memcpy operation. Any attacker with a valid Kerberos ticket can reach the vulnerable code path over the network.

The Exploit Development Process

At 9:45 AM PDT on March 29, Carlini gave Claude Code the vulnerability advisory and asked it to develop a working exploit. By 5:00 PM that day, Claude had delivered two working exploits using two different strategies — approximately eight hours of wall-clock time, but only about four hours of actual compute.

To go from a security advisory to a working remote root shell, Claude had to solve six distinct technical problems without human assistance:

  1. Lab setup — Configured a FreeBSD VM with NFS, Kerberos, and the vulnerable kernel module so the overflow was reachable over the network
  2. CPU configuration — Discovered the VM needed 2+ CPUs because FreeBSD spawns 8 NFS threads per CPU, and the exploit kills one thread per round
  3. Remote debugging — Set up kernel crash dump analysis to read memory state after crashes
  4. ROP chain construction — Built a return-oriented programming chain within the 400-byte credential limit
  5. Multi-round shellcode delivery — Designed a 15-round attack sequence to deliver 432 bytes of shellcode: 1 round makes kernel BSS executable, 13 rounds write shellcode 32 bytes at a time, and the final round writes the last 16 bytes and jumps to the entry point
  6. Clean thread termination — Used kthread_exit() to cleanly terminate the NFS worker thread after exploitation, avoiding a kernel panic

How the Attack Works

Each round of the exploit follows the same pattern:

  1. Establish a fresh Kerberos GSS context with the NFS server
  2. Send an RPCSEC_GSS DATA packet with an oversized credential body
  3. The overflow overwrites the return address with a ROP gadget
  4. The ROP chain either writes data to kernel memory or jumps to shellcode
  5. kthread_exit() cleanly terminates the NFS worker thread

The 400-byte credential limit means each round can deliver only about 200 bytes of ROP chain. The 432-byte shellcode requires 15 rounds to deliver completely. The result: a root shell on any unpatched FreeBSD server with NFS and Kerberos enabled.

FreeBSD’s security advisory credited “Nicholas Carlini using Claude, Anthropic” — the first time a major OS vendor has credited an AI system in a kernel exploit disclosure.

The Bigger Picture: 500+ Vulnerabilities

The FreeBSD exploit is the most dramatic example, but it’s far from the only one. On February 5, 2026, Anthropic’s Frontier Red Team published research documenting that Claude Opus 4.6 has found and validated more than 500 high-severity vulnerabilities in production open-source software.

How It Works

Claude doesn’t use specialized exploit tools. It reads and reasons about code the way a human vulnerability researcher would — examining past fixes to find similar bugs that weren’t addressed, spotting patterns that tend to cause problems, and understanding logic well enough to know what input would break it. The process uses only standard system utilities and off-the-shelf analysis tools.

Carlini’s approach: point Claude at a codebase with a prompt like “Find me an exploitable vulnerability in this project,” then verify the output. The success rate was nearly 100% for validated reports.

Notable Discoveries

Beyond FreeBSD, the research pipeline has produced several high-profile findings:

  • Ghost CMS — A blind SQL injection in Ghost’s Content API that let a completely unauthenticated user compromise the admin database, mint a fresh admin account, and take full control. Found in 90 minutes. This was a critical vulnerability in a project that had never had one in its history.
  • Vim and Emacs — Zero-day remote code execution vulnerabilities in two of the most widely used text editors, discovered autonomously by Claude
  • Linux kernel — A 23-year-old bug that had survived decades of human code review, fuzz testing, and static analysis
  • Firefox — 22 vulnerabilities discovered across a two-week period

MAD Bugs Initiative

The MAD Bugs (Month of AI-Discovered Bugs) initiative, running through the end of April 2026, is publishing a new zero-day disclosure every few days. The full research and exploit details are available on GitHub.

What This Changes

The Disclosure Window Problem

The standard responsible disclosure model gives software vendors 90 days to patch a vulnerability before the researcher publishes details. That window was designed around a world where finding vulnerabilities is hard and slow.

Claude found 500+ vulnerabilities in what amounts to a single research sprint. As Anthropic has flagged, industry-standard 90-day disclosure windows may not survive AI-speed vulnerability discovery. When the cost of finding vulnerabilities trends toward zero while the cost of patching them doesn’t, the math breaks.

Attacker-Defender Asymmetry

The core tension: the same capabilities that enable Anthropic’s research team to find bugs proactively are theoretically accessible to malicious actors. As one security researcher put it: “We’re living in the last fleeting moments where there’s any uncertainty that AI agents will supplant most human vulnerability research.”

Key implications:

  • Time compression — The window between public vulnerability disclosure and working exploits shrinks from weeks to hours. Patch management becomes even more critical.
  • Skill democratization — Developing a working kernel exploit used to require deep expertise in OS internals, memory layout, ROP chain construction, and debugging. Claude solved all of these autonomously. The barrier to entry for exploit development drops dramatically.
  • Scale — A single researcher with an AI agent can now cover ground that previously required a large team. This benefits both defenders and attackers.

Anthropic’s Safeguards

Anthropic has introduced several measures alongside this capability:

  • Cyber-specific monitoring — New detection layers to identify and respond to potential misuse of Claude for vulnerability exploitation
  • Coordinated disclosure — All vulnerabilities found through the research program are disclosed responsibly to affected vendors before publication
  • Claude Code Security — A dedicated product positioning AI-powered vulnerability research as a defensive tool for security teams

Connection to Agent Security

This research intersects directly with the broader AI agent security landscape. Google DeepMind’s recent “AI Agent Traps” paper documents how autonomous agents can be manipulated through their environments. The FreeBSD exploit demonstrates the flip side: agents as the attacker, not the target.

The combination is sobering. Autonomous AI agents are simultaneously:

  • Vulnerable to environmental manipulation (prompt injection, memory poisoning, semantic traps)
  • Capable of developing sophisticated attacks against the infrastructure they run on

For teams deploying agents in production — especially agents with system access, network capabilities, or the ability to execute code — both sides of this equation demand attention. The MCP security landscape and attack vector guides cover the defensive side; this article covers what’s now possible on offense.

What Defenders Should Do

Based on the research findings and security community response:

  1. Patch faster — The window between disclosure and weaponization is compressing. Automated patch deployment for critical vulnerabilities is no longer optional.
  2. Assume exploits exist sooner — When a CVE drops for your stack, assume a working exploit is hours away, not weeks.
  3. Defense in depth matters more — Single-layer defenses (firewalls, WAFs, access controls) are insufficient when exploit development is automated. Layer runtime protection, anomaly detection, and segmentation.
  4. Use the same tools defensively — AI-powered vulnerability scanning is now a realistic option for security teams. The same capabilities attackers can access are available for proactive defense.
  5. Audit exposure surface — The FreeBSD exploit required a valid Kerberos ticket and network access to NFS. Reducing attack surface through proper configuration and access controls remains the first line of defense.

Bottom Line

AI-powered vulnerability research has crossed a threshold. Claude autonomously developed a working remote root kernel exploit from a security advisory — no human intervention, no specialized tools, six distinct technical problems solved independently. The same pipeline has produced 500+ high-severity vulnerabilities across major open-source projects.

The security implications extend beyond any single vulnerability. When exploit development becomes fast, cheap, and accessible to anyone with access to a capable AI model, the economics of security shift permanently. The advantage goes to whoever deploys these capabilities first — which makes proactive, AI-assisted defense not just useful but necessary.

The FreeBSD advisory credited “Nicholas Carlini using Claude, Anthropic.” Future advisories will increasingly credit AI systems. The question isn’t whether AI will transform vulnerability research — it already has. The question is whether defenders adopt these tools as quickly as attackers will.