Security expert Sean Heelan published a blog post on May 22, reporting that in the OpenAI with the help of the o3 inference model of theHe managed to discover Linux Kernel Major Zero Dayloophole, tracking number CVE-2025-37899.
Heelan said he initially intended to test OpenAI's o3 inference model through a code audit, but accidentally discovered that the AI could autonomously identify a complex "use-after-free" vulnerability in the Linux kernel's implementation of the SMB protocol, with the tracking number CVE-2025- 37899. 37899.
Note: "use-after-free" is a memory corruption problem caused by improper thread synchronization, which can lead to kernel memory corruption or even arbitrary code execution.
Heelan disclosed that the vulnerability occurs during the processing of the SMB "logoff" command, where one thread releases an object while another thread is still accessing it, without proper synchronization, resulting in a "use-after-free" issue. The lack of proper synchronization led to the "use-after-free" issue.
Heelan also compared another known vulnerability, CVE-2025-37778 (Kerberos Authentication Vulnerability), and found that o3 far outperforms models such as Claude Sonnet 3.7 when analyzing about 3,300 lines of code, with up to a three-fold increase in detection rate success.
After further testing and scaling the code to about 12,000 lines, o3 still managed to locate the Kerberos vulnerability and discovered a new "logoff" vulnerability.
Once the vulnerability was discovered, Heelan immediately reported it, the upstream team responded quickly, and the patch has been merged into all kernel branches that are still being maintained. The vulnerability has now been fixed in the kernel source code and users can simply pull the update from the distribution.