
A critical zero-day vulnerability has been discovered in the Linux kernel, unearthed with the aid of OpenAI’s o3 artificial intelligence model. Designated CVE-2025-37899, the flaw resides in the ksmbd
component—the kernel-integrated server responsible for implementing the SMB3 protocol used for network file sharing.
The danger stems from a classic use-after-free error within the handler for the ‘logoff’ command. When one thread terminates a session and deallocates the sess->user
object, another thread may simultaneously attempt to access the same session, thereby interacting with already-freed memory. This creates the potential for memory corruption and the execution of arbitrary code with kernel-level privileges.
Notably, the vulnerability was identified without the use of elaborate setups, advanced toolchains, or specialized frameworks. The researcher, known as Shawn, reported using only the o3 model’s API. According to him, this marks the first publicly documented discovery of such a vulnerability made solely through a language model.
Introduced by OpenAI on April 16, 2025, the o3 model has been positioned as a leap forward in AI reasoning. It is designed to “think” more thoroughly before responding and has demonstrated remarkable performance in complex tasks, including code analysis and mathematical problem-solving.
Shawn emphasized that o3’s ability to comprehend multithreading and logical interactions between system components was pivotal in uncovering the flaw. He also noted that rather than replacing researchers, AI serves as a formidable ally—amplifying their capabilities.
Despite the critical nature of the vulnerability, the Exploit Prediction Scoring System (EPSS) currently rates its likelihood of exploitation as low—approximately 0.02%. The flaw affects kernel versions up to 6.12.27, 6.14.5, and 6.15-rc4. Several Linux distributions, including SUSE, have already initiated work on security patches. The SUSE Security Team has assigned the vulnerability a moderate severity rating.
This discovery may signal a turning point in cybersecurity: a future where AI actively aids in identifying critical vulnerabilities is swiftly becoming a tangible reality.