Claude Code Dug Up a 23-Year-Old Linux Vulnerability

A developer let Claude Code analyze an old Linux driver — and the AI stumbled upon a vulnerability that has gone undetected since 2002. People on HN are losing their minds.

◉

24AI Underground

April 4, 2026·Updated April 5, 2026·2 min read

Claude Code Dug Up a 23-Year-Old Linux Vulnerability

Community buzz · early signal

SIGNALS

Claude Code found a real security vulnerability in the Linux kernel that has been hidden for 23 years
The discovery seemingly occurred as a side effect of regular code analysis — not as a dedicated security search
The HN thread is exploding right now with 340+ points and over 200 comments

Early signal · community sourced · unverified

A fast-growing thread on Hacker News right now is about something quite sensational: developer Michael Lynch let Claude Code loose on Linux source code, and the agent surfaced a vulnerability in a driver that has been in the kernel since 2002. Two decades and thousands of human code reviews. Nothing. Then an AI takes a few minutes.

This is, of course, early signals from one community source, and we don't yet know all the details regarding the severity or if it is actually exploitable in practice. But the premise itself is what's getting people to sit up.

What makes this even more interesting is how the discovery happened. Lynch wasn't necessarily looking for security bugs — he used Claude Code as a general analysis tool. This suggests that AI-assisted code review can uncover real vulnerabilities as a kind of side effect, without it being the primary goal.

When a tool accidentally finds a 23-year-old bug, the question of what it would find if it actually tried becomes quite relevant.

The comment section on HN is, as always, a mix of enthusiasm and healthy skepticism. Some point out that classic SAST tools and formal verification theoretically should pick up such things. Others argue that LLMs operate more like an experienced human reviewer — they understand context and intent, not just syntax and rules.

And this is exactly where this touches on something bigger. Research reports from 2025-2026 show that AI-generated code introduces security problems in almost half of cases (Veracode, 2025), while a full 81% of organizations lack an overview of where AI-generated code is actually located in their stack. That's a rather toxic combination: more AI code in, but little systematic AI-driven security control out.

So what does this mean specifically? Two things:

1. Retrospective code analysis suddenly becomes very interesting. If Claude Code can stumble upon a 23-year-old bug in passing, what's lurking in your legacy codebase?

2. The question of who finds the vulnerabilities first becomes more acute. The security community has long talked about threat actors using AI to automate vulnerability hunting. This is a concrete example of the defensive side also being able to do so — but it's a race.

We are following this case. Verify for yourself via Lynch's blog and the HN thread before drawing too strong conclusions — this is still an early signal, not a peer-reviewed report.

Claude Code Dug Up a 23-Year-Old Linux Vulnerability

Related Articles

Free AI Hidden in Your Mac — Nobody Knows About It

AMD Fights Back: Lemonade Makes Local LLM on AMD Chips Actually Usable

Anthropic's source code leaked: secret agents, codenames, and sabotage revealed