Linus Torvalds, creator of the Linux kernel and its director of development since 1991, asserts that the project’s security list is “almost completely unmanageable.” The culprit is the influx of vulnerability reports generated by artificial intelligence (AI) tools.
According to Torvalds’ May 17 post on the Linux Kernel Mailing List (LKML), the problem is not with the AI itself, but with usage patterns. Different researchers apply the same automatic program to the same source code and report the same failure independently.
As a result, duplicates accumulate in the project’s private security list, preventing maintainers from seeing what others have already submitted.
The Linux kernel is the core of the operating system that supports business servers and Android devices. to critical infrastructure in the cloud.
Torvalds coordinates its development on a voluntary basis with thousands of global collaborators. Policy and workflow decisions directly impact the security of millions of systems.
However, not all kernel maintainers are like that. share the same vision. Greg Kroah-Hartman, the project’s second-in-command and head of stable, said AI is becoming an “increasingly useful tool” for the open source community.
In the case of Kroah-Hartman, although there was a lot of noise initially, AI tools are already producing real and valuable reports as long as they are used properly.
Linux prescribes rules to regulate issues
Despite the contrasting views, Torvalds stood his ground and released the fourth Linux 7.1 release candidate, with his own criticisms. He noted that the team had published an official document. To regulate this kind of reporting.
According to Torvalds, Bugs discovered using AI tools should be treated as publicly available It is then sent directly to the maintainer responsible for each component, rather than to a private security list.
The published documentation states that the report must be concise, written in plain text, and include a verified player who has confirmed the failure.
torvalds He also believes that researchers who want to contribute effectively should: They must be more than automated reporting. The expectation, he noted, is to develop and submit patches with fixes.
Ledger, Google, and Linux show a different side of AI
Torvalds’ warning doesn’t happen in a vacuum. In April 2026, Ledger CTO Charles Guillemet noted that the barrier to entry for attackers is crumbling as a language model. Analyzes differences between software versions and allows you to generate exploits faster.cheaper and more efficient than before.
Guillemet specifically targeted so-called one-day exploits, where bugs with available patches continue to be exploited. User does not update system Fast enough.
The latest concrete example was documented by Google. On May 11, 2026, the Google Threat Intelligence Group (GTIG) revealed that it had detected the first documented case of a zero-day vulnerability developed with the help of artificial intelligence.Campaign before it runs.
Among the evidence found in the code, the researchers identified overly descriptive comments, structures considered highly characteristic of language models, and even invented severity scores, a hallucinogenic-related property of generative systems.
John Hultquist, principal analyst at GTIG, said the incident is likely the tip of the iceberg of how criminals and state-sponsored groups are pushing the offensive use of artificial intelligence.
The issues Torvalds points out in the Linux kernel — how AI creates a lot of noise in the security flow — and what’s been documented by Ledger and Google (AI as the AI facilitating real attacks) show two sides of the same phenomenon. It is a software security system (public and private). They are simultaneously under pressure from the amount and speed of automation. Smart makes it possible.
Linus Torvalds’ warning thus highlights one of the great challenges of the AI era: the difference between automating the detection of problems and maintaining the ability for humans to manage them.
(TagTranslate)Developer
