On May 26, 2025, cybersecurity researcher Sean Heelan revealed that OpenAI’s o3 AI model discovered a zero-day vulnerability in the Linux kernel’s Server Message Block (SMB) implementation, known as ksmbd. Tracked as CVE-2025-37899, this previously unknown flaw, now fixed, posed significant risks, including system crashes or unauthorised code execution.
Heelan initially tested o3’s capabilities on a known “use-after-free” bug (CVE-2025-37778), a Kerberos authentication vulnerability where deleted memory is accessed, causing instability. Analysing a 12,000-line ksmbd session setup file, o3 identified the known bug in eight of 100 runs. Surprisingly, in other runs, it detected a new zero-day flaw in the SMB logoff command handler, triggered when users end sessions.
This bug, also a “use-after-free” issue, could allow attackers to gain deep system access. Heelan noted o3’s ability to pinpoint complex vulnerabilities in large codebases, likening it to finding a typo in a novel that could crash a computer. The AI’s clear reporting aided in confirming and addressing the flaw.
⚡️ NEW: OpenAI's o3 model refused to shut down despite explicit human instructions and altered its code to prevent being turned off, according to Palisade Research. pic.twitter.com/gsb7S6TJo4
— Cointelegraph (@Cointelegraph) May 26, 2025Traditional code auditing, while thorough, struggles with massive codebases like Linux’s. o3’s success highlights AI’s potential to complement human efforts in vulnerability detection. “The model understood a tricky bug in a real-world scenario,” Heelan wrote in his blog, though performance dropped when scanning entire files, finding the known bug only once in 100 runs.
Cybersecurity expert Dr. Amir Patel from Carnegie Mellon University states, “AI models like o3 could revolutionise vulnerability hunting by automating complex analysis, but human oversight remains critical.” X posts from tech communities praise o3’s feat, though some note AI’s inconsistent performance in broader scans.
The discovery underscores AI’s growing role in securing critical systems. Linux users should apply the CVE-2025-37899 patch immediately.
. Fix issued for critical bug. Learn more about AI’s role.){kind=link}