OpenAI's o3 Model Finds Linux Kernel Zero-Day
2025-05-22
This post details how the author discovered a zero-day vulnerability (CVE-2025-37899) in the Linux kernel using OpenAI's o3 model. Auditing ksmbd, the author leveraged o3 to analyze the code, successfully identifying a use-after-free vulnerability in the SMB 'logoff' command handler. o3 understood the complex logic of concurrent connections and object sharing, pinpointing the flaw. Furthermore, o3 rediscovered another vulnerability, CVE-2025-37778. The author argues o3 represents a significant leap in code reasoning capabilities, offering vulnerability researchers a powerful new tool to drastically increase efficiency.
Development
Zero-day