OpenAI’s o3 Model Empowers Researcher to Identify Zero-Day Vulnerability

OpenAI’s o3 artificial intelligence model has made headlines by assisting a cybersecurity researcher in identifying a zero-day vulnerability in the Linux kernel’s Server Message Block (SMB) implementation. This previously undiscovered flaw, designated as CVE-2025-37899, is particularly challenging to detect due to its nature of requiring multiple users or connections to interact with the system simultaneously. A fix for this critical security issue has already been released, highlighting the potential of AI in cybersecurity.

AI’s Role in Discovering Vulnerabilities

The use of artificial intelligence in uncovering zero-day vulnerabilities remains relatively uncommon, despite advancements in technology that could enhance this process. Most cybersecurity researchers still rely on traditional code auditing methods, which can be labor-intensive and time-consuming. Sean Heelan, the researcher involved, shared his experience in a blog post, detailing how OpenAI’s o3 model facilitated the identification of the flaw with greater ease than conventional methods.

Interestingly, Heelan was initially focused on a different vulnerability, known as CVE-2025-37778, which pertains to Kerberos authentication. This bug falls under the “use-after-free” category, where a system deletes a memory segment while other components continue to access it, potentially leading to crashes and security breaches. The AI model successfully detected this known vulnerability in eight out of 100 attempts, demonstrating its capability.

Testing the AI Model’s Capabilities

After confirming o3’s ability to identify a known security flaw, Heelan decided to challenge the AI further by providing it with the entire session setup command handler file, which consists of approximately 12,000 lines of code. This approach is akin to asking the AI to read a novel and locate a specific typo, with the stakes being significantly higher due to the potential for system crashes.

Upon running 100 simulations on this comprehensive file, o3 managed to identify the known bug only once. While Heelan noted a decrease in performance, he emphasized that the AI’s ability to find any bug at all was a significant achievement. More importantly, during the testing, o3 uncovered a previously unknown vulnerability that Heelan had overlooked, showcasing its potential in real-world applications.

Details of the Newly Discovered Vulnerability

The newly identified zero-day vulnerability also pertains to the SMB logoff command handler. Similar to the earlier bug, this flaw arises when the system attempts to access a file that has already been deleted, but it specifically triggers during user logouts or session terminations. According to o3’s analysis, this vulnerability poses a serious risk, as it could lead to system crashes or enable attackers to execute code with extensive system privileges.

Heelan praised o3 for its ability to comprehend complex bugs in practical scenarios, noting that the AI provided a clear explanation of the vulnerability in its report. While he acknowledged that o3 is not without flaws and has a high signal-to-noise ratio, he pointed out that the model exhibits a more human-like approach to bug detection compared to traditional security tools, which often follow rigid protocols.

Implications for Cybersecurity

The discovery of this zero-day vulnerability underscores the growing importance of integrating AI into cybersecurity practices. As threats become increasingly sophisticated, the ability of AI models like OpenAI’s o3 to identify and analyze vulnerabilities could revolutionize the field. While traditional methods remain valuable, the efficiency and adaptability of AI may provide a crucial advantage in the ongoing battle against cyber threats.

As organizations continue to navigate the complexities of cybersecurity, the collaboration between human researchers and AI tools could lead to more effective strategies for identifying and mitigating risks. The findings from Heelan’s research not only highlight the potential of AI in uncovering hidden vulnerabilities but also pave the way for further exploration into the capabilities of artificial intelligence in enhancing digital security.

Observer Voice is the one stop site for National, International news, Sports, Editor’s Choice, Art/culture contents, Quotes and much more. We also cover historical contents. Historical contents includes World History, Indian History, and what happened today. The website also covers Entertainment across the India and World.

Follow Us on Twitter, Instagram, Facebook, & LinkedIn