A serial killer is loose. The homicide detectives working the case cannot find the call that would lead them to him because the tip line is jammed with people who want the press attention, the reward money, or the thrill of being part of something dangerous. The lead the detectives need is buried in the same stack of paper.
Every Hollywood crime thriller writes that scene. I did not expect to see it on a Linux kernel security mailing list.
Two to three reports a week. Then five to ten a day.
That is the volume Willy Tarreau, the HAProxy author and longtime Linux kernel stable maintainer (responsible for older LTS branches like 2.4, 2.6.32, and 3.10), watched land on the Linux private security list.
The private channel that protects every Linux machine had flooded, and its creator stepped in to fix it.
"Almost Entirely Unmanageable"
Linus Torvalds, the creator of Linux, released Linux 7.1-rc4 on May 17, 2026. One paragraph in the announcement described what was happening to the security list: "The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools."
The reports are largely the same, mailed in by strangers who do not know each other. When a researcher fuzzes a Linux subsystem by hand, they bring their own intuition, setup, and odd corner of the code. Two researchers working independently usually find different things.
AI tools do the opposite. Ten researchers running the same scanner with the same default config walk the same code paths and report the same theoretical flaws.
A senior engineer still has to read each report carefully enough to recognize it as a duplicate of one triaged yesterday. The hours scale with the number of emails, not with the number of distinct findings.
The New Rule: AI Findings Go Different
The kernel team rewrote the channel instead of blaming AI for the flood.
One day before Torvalds' rc4 post, on May 16, 2026, the project merged new documentation in the docs-7.1-fixes pull request. The file is Documentation/process/security-bugs.rst. The author is Willy Tarreau, the same maintainer whose volume counts opened this story.
The documentation does two things.
First, it defines what qualifies for the private list: "urgent bugs that grant an attacker a capability they are not supposed to have on a correctly configured production system, and can be easily exploited, representing an imminent threat to many users." Everything below that bar belongs in the open.
Second, it puts AI on the public side of the line in one sentence: "If you resort to AI assistance to identify a bug, you must treat it as public."
The list is private to buy a window. Maintainers need time to write a fix and ship it to distributions before attackers learn the bug exists. AI tools close that window. Ten researchers running the same scanner can file the same finding on the same morning, in different time zones, none of them aware of the others. A confidential channel for a bug that ten strangers already know about is not confidential.
The logic makes sense and is a very good short-term fix. If a bug class is machine-findable, secrecy buys nothing, so the kernel stops wasting coordination time on it. The report goes to the maintainer who owns the code, and the fix happens in daylight. The private list goes back to being a quiet channel for real emergencies, the bugs that one careful human found that attackers do not yet know about.
AI bug hunting was not banned. The rule changes only the destination of an AI-found bug: it now goes to the subsystem maintainer in public rather than to the private security list.
The Difference Is a Patch
This is not an "AI bad" story. AI is good at finding kernel bugs, and that's not in dispute.
Greg Kroah-Hartman, who maintains the stable kernel branch downstream of Torvalds, uses AI-assisted fuzzing himself. He runs a local large language model, which he calls "Clanker T1000," on a Framework Desktop powered by an AMD Ryzen AI Max+ chip. From that setup, he has steadily landed close to two dozen merged patches across sound drivers, input handling, the SMB (Server Message Block) server, the Nouveau graphics driver, and io_uring.
The difference is in what each person sends.
Kroah-Hartman sends a patch. He finds the bug, understands it, writes the fix, and submits a change that a maintainer can review and merge. He has done the expensive part. The crowd flooding the security list sends a report: a description of a maybe-problem handed to someone else with the words "you figure out if this is real."
A patch is finished work. It adds capacity to the kernel because the reviewer mostly checks it and moves on. A bare report is an unwanted assignment dumped on a senior engineer who has to read it, reproduce it, classify it, and then write the same fix the reporter could have written. AI made the easy half of the work nearly free. It did not touch the part that the kernel actually needs.
Clap if you like the routing logic. Drop your team's rule for AI-generated findings in the comments. Forward this to whoever reads your security inbox before the flood lands there, too.
The Bug That Waited Eight Years to be Discovered
Aaron Esau hit send on May 19, 2026. His message went to the oss-security mailing list. The proof of concept was pushed to GitHub that same morning. The disclosure carried a codename, PinTheft, and a number, CVE-2026–43494. The work belonged to a security research firm called V12 Security. The kernel team read the file three days after the new routing rule took effect.
It was the first case file they had time to read properly in weeks.
The bug had sat in the kernel since 2018, in an old networking subsystem called Reliable Datagram Sockets (RDS). It was a small accounting error. The kernel keeps a count of who is still using a piece of memory. When the count reaches zero, the kernel reclaims that memory for something else. The bug was that a specific failure mode subtracted 1 from that count each time it occurred. The bug did nothing dangerous for nearly 8 years, because the count was always large enough to absorb a stray subtraction.
Then io_uring shipped in later kernels and gave Esau the missing piece.
io_uring is a faster way for programs to talk to the kernel. One of its features allows a program to register a single memory page (4 KB of RAM, the basic unit of kernel memory management for user pages) and hold references to it. Esau's exploit used that feature to increase the page's usage count to 1,024. He then sent 1,024 messages over RDS, every one designed to trigger the accounting bug. Each failure subtracted one extra from the use count. The count reached zero. The kernel freed the page and returned it to the pool of available memory.
The exploit then steered the kernel toward reusing that exact page to load the first slice of a SUID (set-user-ID) root binary into memory. A SUID root binary is the kind of program that runs as root no matter who launches it.
Esau still held a valid pointer to that exact page. He overwrote the kernel's copy of those first instructions with a few bytes of his own code. He then ran the SUID program. The kernel executed his bytes as root.
The line of fire ran through one distribution. Fedora, Ubuntu, and Debian ship with the RDS module blacklisted, so the buggy code never loads. Red Hat Enterprise Linux and its rebuilds do not compile RDS at all. A default install on any of those is safe. Arch Linux enables RDS by default. An Arch user running an unpatched kernel could run a single SUID program and walk away with a root prompt.
The fix landed in mainline at commit e174929793195e0cd6a4adb0cad731b39f9019b4. The patch hit the netdev mailing list on May 5, 2026, eleven days before Tarreau's documentation merged. The whole sequence ran the old way. A researcher wrote a working exploit, walked it through normal subsystem channels, and disclosed it cleanly on a fixed timeline. The fix shipped before the public proof of concept landed.
PinTheft would have sat under a stack of LLM duplicates for a week under the old conditions. The new rules give the team room to see the next one when it lands.
AI Changed the Economics of Bug Reporting
The kernel's private security list broke in a single release cycle. Tarreau counted the reports, wrote the routing rule, and Torvalds merged it.
PinTheft was the first case to clear the new inbox. Eight years dormant in the kernel. Two days for the team to read the disclosure properly, because for the first time in months, they had two days to spare.
That window existed because someone changed the routing rule.
The routing rule sends AI-found bugs to the public list. The public list now has the same volume problem. Routing is a first-order fix; it moved the flood, but it did not close it.
The next step is already running in other projects. Mozilla's agentic security pipeline, built around Anthropic's Claude Mythos Preview, identified 271 of the 423 Firefox security bugs shipped in April 2026, and the pipeline includes a deduplication stage before any report reaches a maintainer. The kernel's own syzbot fuzzer has performed signature-based crash deduplication since 2017. In its first three years, it reduced 3.24 million crash reports to 2,526 bug titles. The infrastructure concept is not new to the kernel community. The gap is that it exists for automated fuzzing but not yet for human-submitted AI-assisted reports.
A semantic layer before the public list would group duplicate reports rather than drop them. Ten researchers independently filing the same candidate finding is useful information: the bug is trivially findable by any competent scanner, the risk surface is large, and the priority should be higher because of it. What a maintainer does not need to do is read all ten separately. A deduplication layer would match each incoming report against recent filings and thread the duplicates together. A maintainer reads "11 reports aggregated, same subsystem, same root pattern" rather than 11 separate reports.
The routing rule gave the kernel team PinTheft. A semantic aggregation layer would give them the next one, and the one after that.
If this story matters to you, clap, leave a comment, or share it with the security or platform lead in your organization. They will face this triage problem in the next six months if they are not already facing it.