我如何使用o3找到CVE-2025-37899，这是Linux内核的SMB实现中的一个远程零日漏洞

In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use.

在这篇文章中，我将向你展示我是如何使用OpenAI的o3模型在Linux内核中发现一个零日漏洞的。我发现这个漏洞的过程并没有比o3 API更复杂——没有脚手架，没有代理框架，没有工具使用。

Recently I’ve been auditing ksmbd for vulnerabilities. ksmbd is “a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network.“. I started this project specifically to take a break from LLM-related tool development but after the release of o3 I couldn’t resist using the bugs I had found in ksmbd as a quick benchmark of o3’s capabilities. In a future post I’ll discuss o3’s performance across all of those bugs, but here we’ll focus on how o3 found a zeroday vulnerability during my benchmarking. The vulnerability it found is CVE-2025-37899 (fix here), a use-after-free in the handler for the SMB ‘logoff’ command. Understanding the vulnerability requires reasoning about concurrent connections to the server, and how they may share various objects in specific circumstances. o3 was able to comprehend this and spot a location where a particular object that is not referenced counted is freed while still being accessible by another thread. As far as I’m aware, this is the first public discussion of a vulnerability of that nature being found by a LLM.

最近我一直在审计ksmbd的漏洞。ksmbd是“一个在内核空间实现SMB3协议以通过网络共享文件的Linux内核服务器。”。我开始这个项目特别是为了从LLM相关的工具开发中休息一下，但在o3发布后，我忍不住使用我在ksmbd中发现的漏洞作为o3能力的快速基准。在未来的文章中，我将讨论o3在所有这些漏洞中的表现，但在这里我们将重点讨论o3在我的基准测试中发现的一个零日漏洞。它发现的漏洞是CVE-2025-37899（修复这里），这是SMB ‘注销’命令处理程序中的一个使用后释放漏洞。理解这个漏洞需要推理对服务器的并发连接，以及它们在特定情况下如何共享各种对象。o3能够理解这一点，并发现一个特定对象在未被引用计数的情况下被释放，同时仍然可以被另一个线程访问。就我所知，这是第一次公开讨论由LLM发现的这种性质的漏洞。

Before I get into the technical details, the main takeaway from this post is this: with o3 LLMs have made a leap forward in their ability to reason about code, and if you work in vulnerability research you should start paying close attention. If you’re an expert...