Linus Torvalds, creator of the Linux kernel and responsible for its development since 1991, assures that the project’s security list is “almost completely unmanageable.” The cause is the massive arrival of vulnerability reports generated with artificial intelligence (AI) tools.
The problem, according to a May 17 post by Torvalds on the Linux Kernel Mailing List (LKML), is not the AI itself but the usage pattern: different researchers apply the same automated programs on the same source code and independently report the same failures.
The result is an accumulation of duplicates in the project’s private security list, where maintainers cannot see what has already been submitted by others.
The Linux kernel is the core of the operating system that supports business servers and Android devices. to critical infrastructure in the cloud.
Torvalds coordinates its development on a voluntary basis with thousands of global collaborators. Your policy and workflow decisions directly impact the security of millions of systems.
However, not all kernel maintainers share the same vision. Greg Kroah-Hartman, second in command of the project and responsible for the stable branch, has noted that AI has become “an increasingly useful tool” for the open source community.
For Kroah-Hartman, although it initially generated a lot of noise, AI tools already produce real and valuable reports, as long as they are used appropriately.
Linux dictates rules to regulate the problem
Despite the contrast of ideas, Torvalds maintained his position and accompanied his criticism with the release of the fourth Linux 7.1 release candidate. He noted that the team published formal documentation to regulate this type of reporting.
According to Torvalds, Bugs found using AI tools should be treated as public disclosure and sent directly to the maintainers responsible for each component, not to the private security list.
The published documentation states that reports should be concise, written in plain text, and include a verified player confirming the failure.
Torvalds He also maintained that researchers who want to contribute effectively They must go beyond automated reporting: the expectation, as he noted, is that they develop and send patches with the correction.
Ledger, Google and Linux show another side of AI
Torvalds’ warning does not occur in a vacuum. In April 2026, Ledger CTO Charles Guillemet noted that the barrier to entry for attackers is collapsing as language models allow you to analyze differences between software versions and generate exploits more quicklycheaper and efficient than before.
Guillemet specifically targeted so-called one-day exploits: bugs with available patches that continue to be exploited because users do not update their systems with sufficient speed.
The most recent and specific case was documented by Google. On May 11, 2026, the Google Threat Intelligence Group (GTIG) revealed that it had detected the first documented case of a zero-day vulnerability developed with the assistance of artificial intelligence, intercepting lto campaign before it could be executed.
Among the evidence found in the code, the researchers identified excessively explanatory comments, a structure considered very characteristic of language models and even an invented severity score, a trait associated with hallucinations of generative systems.
John Hultquist, chief analyst at GTIG, said this case likely represents the tip of the iceberg of how criminal actors and state-backed groups are driving the offensive use of artificial intelligence.
The problem that Torvalds points out in the Linux kernel—AI as a generator of massive noise in security flows—; and the one documented by Ledger and Google—AI as an accelerator of real attacks—point to two sides of the same phenomenon: software security systems, public and private, are being pressured simultaneously by the volume and by the speed that the automation smart makes it possible.
In this way, Linus Torvalds’ warning is highlighting one of the great challenges of the AI era: the difference between automating the detection of problems and maintaining the human capacity to manage them.