HN
Today

Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

Claude, an LLM, has transcended expectations by autonomously generating a full remote kernel RCE for FreeBSD (CVE-2026-4747). This sophisticated exploit, including ROP chains and custom kernel shellcode, shatters the belief that such intricate security work is exclusive to human experts. Hacker News grapples with the profound implications for AI in cybersecurity, signaling a new era of automated vulnerability exploitation.

33
Score
10
Comments
#4
Highest Rank
9h
on Front Page
First Seen
Apr 1, 10:00 AM
Last Seen
Apr 1, 7:00 PM
Rank Over Time
4568910142022

The Lowdown

This write-up details a chilling achievement: an AI, specifically Claude, successfully developed a complete remote kernel exploit for FreeBSD. The target was CVE-2026-4747, a stack buffer overflow in the kgssapi.ko module, which could lead to arbitrary code execution.

  • The Vulnerability: A 128-byte stack buffer (rpchdr[]) in svc_rpc_gss_validate() lacked bounds checking during a memcpy operation, allowing an oversized Kerberos credential body to overwrite crucial stack elements, including the return address. The vulnerability affects NFS servers with kgssapi.ko loaded, requiring a valid (even unprivileged) Kerberos ticket for the nfs/host@REALM principal.
  • Exploitation Strategy: Claude devised a sophisticated multi-round ROP (Return-Oriented Programming) chain to overcome the 400-byte credential limit and deliver its 432-byte shellcode.
    • Round 1: Modified kernel memory permissions using pmap_change_prot() to make a section of BSS (Block Started by Symbol) executable (RWX).
    • Rounds 2-14: Steadily wrote chunks of the shellcode (32 bytes per round) into the newly executable BSS region using mov [rdi], rax gadgets.
    • Round 15: Wrote the final shellcode bytes and redirected execution to the shellcode's entry point within BSS.
  • The Shellcode: Operating in kernel mode (CPL 0), the shellcode followed a two-phase approach:
    • An entry function pivoted the stack, cleared debug registers (DR7) to prevent child process crashes, and used kproc_create() to spawn a new kernel process.
    • A worker function within the new process zeroed an image_args struct, allocated argument buffers, set the executable path to /bin/sh, added the -c argument, and included a complex reverse shell command. It then called kern_execve() to transform the process into a root shell, clearing the P_KPROC flag to ensure a proper userland transition.
  • Overcoming Challenges: The development process tackled several intricate issues: accurately mapping register offsets (shifted by GSS headers), resolving MIT vs. Heimdal GSS token incompatibilities (requiring specific krb5.conf settings), mitigating hardware debug register inheritance, and reliably delivering shellcode across the size constraints. The exploit also necessitated a target VM with at least two CPUs to ensure sufficient NFS worker threads (16 total) could survive the 15 rounds of thread-killing RCE.
  • Result: The exploit successfully established an interactive uid 0 (root) reverse shell in approximately 45 seconds.

This work highlights the rapidly evolving capabilities of large language models, pushing the boundaries of automated offensive security and prompting a reevaluation of what "human-level" exploit development truly entails.

The Gossip

LLM's Lethal Leverage

The primary focus of the discussion centered on the implications of an AI generating such a sophisticated exploit. Initial comments clarified that Claude was tasked with *exploiting* a known CVE, rather than *discovering* it. However, subsequent discussion pointed to the paper's credits, suggesting Claude *was* involved in the bug finding process too. Regardless of the precise origin, commenters widely acknowledged this as a significant step, moving the "exploit development frontier" for AI. The consensus was that LLMs are quickly becoming adept at such tasks, making autonomous CVE finding and exploitation a near-future reality.

The Prompt's Provenance Problem

A minor but interesting sub-discussion questioned the full veracity and nature of the "prompt history" included in the write-up. While one commenter appreciated the apparent transparency, another speculated that the "history" might itself be partially AI-generated or reconstructed, especially given the final prompt requesting all previous inputs.