I used o3 to find a remote zeroday in the Linux SMB implementation

Original Article ↗ Hacker News Discussion ↗

Exploit, validation, and tooling limits

  • Commenters ask if the ksmbd bug is practically exploitable and whether syzkaller or classic fuzzing could have found it.
  • The vulnerability involves concurrency and shared objects, leading several to doubt that traditional static analysis would reliably catch it.
  • Some wonder if other SMB implementations share similar bugs; consensus is that codebases differ enough that this isn’t obvious.
  • A later subthread presses for proof-of-concept (PoC) requirements; the author clarifies they did build a crashing PoC with KASAN, but it wasn’t emphasized in the writeup.

Signal-to-noise, workflow, and “prompt engineering”

  • The reported ~1:50 useful-to-noisy finding ratio divides opinion: some think it’s excellent for “needle in a haystack” work; others say reading LLM slop is less efficient than a skilled human audit.
  • Several maintainers complain they already drown in AI-generated false-positive CVEs and fear this article will worsen the spam.
  • Others argue triage is exactly where real gains are needed—if models could generate harnesses/PoCs or use sanitizers as an oracle, S/N might rise dramatically, but that’s expensive.
  • There’s extended debate over whether prompt design is “engineering” or just vibes; many describe structured workflows (separate prompt files, XML tagging, scratchpads, multi-step “reasoning” agents) as useful, even if empirically tuned rather than rigorously benchmarked.

Model capabilities and comparisons

  • Multiple people see this as evidence that new “reasoning” models (o3, Gemini 2.5 Pro, etc.) have crossed a threshold for nontrivial bug-hunting, especially in concurrent code.
  • Others report similar experiments: ~1:10 success on custom code challenges, needing many iterations, suggesting the low raw accuracy but high upside pattern is common.
  • There’s disagreement on which frontier model is best; some claim Gemini 2.5 can find the same bug more reliably with a good prompt.

Security arms race and deployment

  • Many expect intelligence agencies and serious attackers are already or soon will be automating zero-day discovery this way, triggering an arms race.
  • Defenders can also integrate such scans into CI or periodic audits, but abandoned or unmaintained software remains a major weak point.
  • Several highlight the mismatch between the modest dollar cost (~$116 for 100 runs) and the potentially high market value of a working zero-day.

ksmbd adoption, performance, and risk

  • Discussion notes ksmbd is a kernel-space SMB server offering high performance and SMB Direct/RDMA support, attractive on fast (e.g., 25G) networks and mixed environments.
  • Others question why such a large, risky protocol lives in kernel space at all, citing past catastrophic kernel SMB bugs and Samba’s slower but safer user-space model.