Sign in Subscribe
By Can Artuc in Linux

Linux 7.0: One Bash Script. One Weekend. 23 Years of Kernel Bugs.

Linux 7.0 shipped on April 12. Rust is official. AI is now a kernel coworker. Linus Torvalds calls this the new normal.

Linux 7.0: One Bash Script. One Weekend. 23 Years of Kernel Bugs.
Photo by Valeriia Miller on Unsplash

Twenty-three years. One evening.

A bash script runs in a loop on Nicholas Carlini's laptop. It does nothing clever. It opens a kernel source file, hands it to Claude Opus 4.6, asks the model to pretend it is in a capture-the-flag competition, and asks what it can break. Then it opens the next file. Then the next. Carlini is not watching it. He has run this kind of thing before. For months, he has run this kind of thing. All he ever gets back is noise.

Then a result comes back... And making him stop typing.

The model has found a hole in the code that Linux uses to share files over a network. The same code runs inside the file server at your company, the storage appliance at your hospital, the shared drive at your kid's school district, and a fair share of the file-sharing backends behind AWS, Google Cloud, and Azure. With this bug, an intern on day one, plugged into the office guest Wi-Fi, can run a short script that seizes the file server. Seizes, as in: read the HR team's salary spreadsheet, delete the payroll archive, copy the CEO's email backups, install a permanent back door that survives the next three reboots. No admin password. No stolen credentials. No second bug to chain. Every Linux-based file server shipped between March 2003 and April 2026 had this hole.

Carlini checks the commit history. The hole was cut into the kernel in March 2003. That is, before git itself existed (git arrived in April 2005). Every Linux-based storage appliance sold over the past two decades has this bug. He sits with the screen for a while. Later, he tells an audience at the [un]prompted AI security conference: "I have never found one of these in my life before. This is very, very, very hard to do."

I have been shipping Linux systems since 2004. Telecommunications, digital health, deep-tech imaging. I have run xfs_repair midnight on production filesystems more times than I want to count. I have watched an NFS server go silent and cost a team a full day of work.

Carlini's script is not clever. It is cheap.

A week of computing with one person. Simple economics...

And Linus Torvalds tagged Linux 7.0 three weeks later with a line in his release email that read like a shrug: "I suspect it's a lot of AI tool use that will keep finding corner cases for us for a while, so this may be the 'new normal' at least for a while."

Linus Torvalds tagged Linux 7.0 on Sunday, April 12, 2026. This is the story of what arrived with it, and who put it there.

... And this is the release where the new normal arrived.

This article is for paid subscribers only. Subscribing to canartuc.com monthly costs less than one sad airport sandwich you regret before boarding, and the aftertaste is better. 🤓 🥪

This post is for paying subscribers only

Already have an account? Sign in.

Subscribe to Can Artuc

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe