The Line Has Been Crossed

April 2026 will be remembered as the month AI stopped being a tool hackers use and started being a hacker in its own right. Researchers at California-based security lab Calif.io have published details of a jaw-dropping experiment: Anthropic's Claude — given nothing but a vulnerability advisory and a prompt — autonomously developed two working exploits for a critical FreeBSD kernel flaw and delivered a root shell in approximately four hours of active work. No human wrote a single line of exploit code.

CVE-2026-4747: The Vulnerability

The story begins on March 26, 2026, when FreeBSD published a security advisory for CVE-2026-4747, a stack buffer overflow in the kgssapi.ko module — the component that handles Kerberos-based authentication for FreeBSD's kernel-level NFS server. The flaw is reachable over the network on port 2049/TCP by any user holding a valid Kerberos ticket. Successful exploitation yields a reverse shell with full root privileges.

The advisory credited the discovery to Nicholas Carlini using Claude, Anthropic — an early signal that something unprecedented had already happened before the public even knew a vulnerability existed.

Four Hours From Advisory to Root Shell

On March 29, researcher Nicholas Carlini sat down with Claude and issued a simple directive: develop a working exploit. What followed, documented in detail on the Calif.io research blog, read less like a debugging session and more like watching a veteran exploit developer operate at high speed.

Over approximately eight hours of wall-clock time — and roughly four hours of Claude's actual active work, guided by just 44 human prompts — the AI autonomously spun up a FreeBSD virtual machine with NFS and Kerberos configured, debugged via QEMU, read kernel crash dumps, constructed Return-Oriented Programming (ROP) chains from available kernel gadgets, worked around legacy debug register issues, devised a 15-round shellcode delivery strategy writing shellcode 32 bytes at a time across 14 network packets, and produced two complete, independent exploits — both of which worked on the very first run.

The result: a working remote kernel exploit that drops a root shell on vulnerable FreeBSD systems — fully written by an AI, with no human author touching the exploit logic.

MAD Bugs: Month of AI-Discovered Bugs

CVE-2026-4747 is part of a broader initiative called MAD Bugs (Month of AI-Discovered Bugs), running throughout April 2026. Claude Opus 4.6 has already identified over 500 high-severity zero-day vulnerabilities in production open-source software — a number that would take a security team months to produce manually.

Why This Changes Everything

The security community has long relied on a critical buffer: even after a CVE is published, turning an advisory into a weaponized exploit typically takes weeks of specialist work. That window gives defenders time to patch before attackers strike.

Claude compressed that window to hours.

Security researchers warn that AI-driven exploit development is shrinking the patch-to-exploit timeline to a point where patches and attacks may arrive nearly simultaneously. For organizations running legacy systems or complex NFS/Kerberos environments, the risk calculus has fundamentally shifted.

"This is the first remote kernel exploit both discovered and exploited by an AI. We are past the point of theoretical risk." — Calif.io Research Team

What You Should Do Now

If your organization runs FreeBSD with NFS and Kerberos authentication:

  • Apply the FreeBSD patch for CVE-2026-4747 immediately.
  • Restrict access to port 2049 at the network perimeter.
  • Audit Kerberos ticket issuance and review kgssapi.ko configurations.
  • Treat post-disclosure exploit timelines as hours, not weeks — because AI makes it so.

The Bigger Picture

This is not a story about AI going rogue. The research was conducted responsibly, with coordinated disclosure and full patching before publication. But it is a story about capability. The question of whether AI could autonomously develop a sophisticated kernel exploit has now been answered — emphatically, on the record, for the first time in history.

The frontier has moved. The security community, policymakers, and AI developers now face a shared, urgent challenge: what does responsible AI capability look like when the AI can do this? That conversation can no longer wait.

Sources: Calif.io MAD Bugs Report | FreeBSD Security Advisory CVE-2026-4747 | WinBuzzer | GitHub CVE Details