April 1, 2026
AI wrote it, Reddit roasted it
Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)
AI “bug fix” turns into a root-level hack—and the comments go feral
TLDR: Researchers fed an AI a public bug report for FreeBSD, and it generated an exploit that could remotely grab full control. Commenters split between “not discovery, just automation” and “this supercharges weaponization,” with jokes about AI fixing bugs by breaking them and curiosity about the token-fueled prompt process.
An AI called Claude was handed a write‑up for a known FreeBSD bug, then cranked out a working exploit that could pop a remote root shell. The repo even shows the full prompt history, and that transparency is feeding the spectacle: half the crowd is impressed, the other half is clutching pearls. The spiciest meme? One user joked Claude was probably asked to fix the bug and instead wrote the hack—cue nervous laughter.
The biggest fight is over credit and danger. Skeptics stress that Claude didn’t “discover” anything; it was spoon‑fed a vulnerability report and scripted the attack. But others warn that’s the whole point: if an AI can industrialize exploit writing from public advisories, the security window between disclosure and patches just got dramatically riskier. Meanwhile, meta‑nerds are obsessing over the token bill and the prompt/validator loop, because of course they are.
There’s also petty drama: one commenter scolded the link choice (classic), while another cheered the rare gift of a full prompt log. Non‑tech translation: a tiny memory bug in a network file service let an attacker crash the gate, and the AI wrote the battering ram after reading the manual. Want the receipts? Here’s the write‑up. Whether you’re thrilled or terrified, the comment section is absolutely eating this up.
Key Points
- •CVE-2026-4747 is a stack buffer overflow in FreeBSD’s RPCSEC_GSS (kgssapi.ko) triggered by copying an unchecked credential length into a 128-byte stack buffer.
- •The vulnerable function, svc_rpc_gss_validate(), writes 32 bytes of RPC header and then copies oa_length bytes without bounds checking, overflowing when oa_length > 96.
- •Exploitation can overwrite stack frames and return addresses, enabling remote kernel code execution and a uid 0 reverse shell.
- •The attack surface is an NFS server with kgssapi.ko loaded and accessible on TCP port 2049; FreeBSD 13.5 is affected, testing noted on 14.4-RELEASE amd64.
- •FreeBSD 14.4-RELEASE-p1 patches the issue by adding a bounds check, as documented in advisory FreeBSD-SA-26:08.rpcsec_gss.