The video highlights a researcher using OpenAI’s GPT-3 to identify both known and new vulnerabilities in the Linux kernel’s SMB implementation, demonstrating AI’s potential to assist in complex vulnerability discovery through code analysis. While acknowledging current limitations like variability and false positives, it emphasizes that AI tools are increasingly valuable in automating and enhancing cybersecurity research and bug hunting efforts.
The video discusses a groundbreaking development in cybersecurity research, highlighting how an individual used OpenAI’s GPT-3 model to identify a zero-day vulnerability in the Linux kernel’s SMB implementation. The researcher emphasizes that they achieved this solely through the GPT-3 API without relying on additional frameworks or tools, showcasing the potential of AI in vulnerability discovery. The context includes ongoing efforts by government agencies like DARPA to leverage AI for bug hunting, illustrating a broader trend of AI-assisted security research gaining traction.
The core of the research involved analyzing the Linux kernel’s KSMBD module, which handles SMB protocol operations in kernel space. The researcher used GPT-3 to examine specific code paths related to session handling and authentication, particularly focusing on complex, state-dependent vulnerabilities like use-after-free bugs. They explained how fuzzing memory corruption vulnerabilities is challenging due to the need for precise state configurations, and how AI can comprehend and reason about these intricate conditions more effectively than traditional methods.
Through systematic benchmarking, the researcher demonstrated that GPT-3 could identify a known vulnerability (CVE-2025-37778) in about 8% of runs, and even discover a new, previously unknown bug related to race conditions in session handling. Despite the low success rate, the AI’s ability to find real vulnerabilities and generate insightful bug reports was significant. The researcher also noted the variability in results across multiple runs, attributing this to the stochastic nature of GPT-3’s output and the importance of prompt design and sampling parameters.
The video emphasizes the limitations and potential of AI in vulnerability research, particularly how it can assist human analysts by sifting through large amounts of code and reports to identify promising leads. The researcher discusses strategies for managing the signal-to-noise ratio, such as limiting the code context provided to the AI and focusing on specific code paths. They highlight that while current models are not infallible, their performance is improving enough to make AI a valuable tool for security professionals, especially in automating parts of the bug hunting process.
In conclusion, the video presents a cautiously optimistic view of AI’s role in cybersecurity, asserting that models like GPT-3 are approaching human-like reasoning capabilities in code analysis. The researcher advocates for integrating AI into vulnerability workflows to enhance efficiency and effectiveness, while acknowledging the ongoing challenges of false positives and result variability. Overall, the article underscores a transformative shift in vulnerability research, where AI tools are becoming essential allies in discovering and fixing security flaws in complex software systems.