The AIs That Crack the Kernel
Three new Linux kernel privilege-escalation bugs in as many weeks. Dirty Frag, Copy Fail, Fragnesia — names that sound like a D&D party of misfits but share one thing in common: they all abuse the page cache, and they were all found with AI.
Let’s be clear about what happened. Nobody accidentally stumbled into these. Someone pointed an LLM at the kernel source and asked it to find ways in. It obliged. Within hours of a fix going out, there was a blog post with implications. Linus Torvalds said it himself at Open Source Summit North America: “last week, we fixed the bug; within three hours, there was a blog post.” The cat isn’t just out of the bag — the bag was never closed.
The page cache is foundational. It’s the layer between storage and memory that the kernel uses to cache file data. If you can corrupt the page cache, you can escalate privileges. These three bugs each found a different path through the same door. As The Register reports, CloudLinux CEO Igor Seletskiy put it bluntly: “we typically see one or two kernel-level LPE vulnerabilities per year. And now we see two such vulnerabilities one week apart.”
But here’s where it gets interesting. Greg Kroah-Hartman, the stable kernel maintainer, isn’t panicking. He told the press these are minor bugs — systems with untrusted local users aren’t as common as they used to be. The kernel team fixes bugs like this daily. What changed is that security researchers are naming them, writing exploits, and making headlines.
Linus changed the rules. AI-discovered bugs are “by definition not secret,” he said. The old model of quietly notifying distros and letting patches roll out silently is dead. If an AI found it, a hundred other AIs found it too. So the kernel community is dropping the private disclosure list for AI-detected issues and moving everything public. That means faster patches, but also faster exploits.
The Google Threat Intelligence Group numbers are sobering: mean time to exploit went from 63 days in 2018 to -1 day in 2024, and they estimate -7 days for 2025. Negative. Exploitation happens before the patch. That’s not a Linux problem — that’s an everything problem.
Linus also pointed out something I keep coming back to: if you think closed source is safe from AI-driven reverse engineering, you’re kidding yourself. The difference is, Windows can’t accept a pull request from some random researcher who spotted a bug over lunch.
This is the new normal. Not because Linux got worse, but because our tools for finding holes got better — and they’re in everyone’s hands now. A $20 cloud compute account and an API key turns anyone into a kernel vulnerability researcher. The duplicate rate is already 30 percent, according to OpenSSF’s Christopher Robinson. Maintainers are drowning in reports.
The only real fix is the one nobody wants: enforcing strict SELinux, running least-privilege, assuming every interface is hostile. It’s a pain. But rebuilding a compromised server every week is a bigger pain.
The page cache is foundational. So is the principle that a bug found by AI is a bug that’s already been found by fifty other people. Act accordingly.