Finding CVEs with AI Red Teaming: A Research-Backed Guide

AI-discovered CVEs are no longer theoretical. In 2024, Google's Big Sleep agent found a previously unknown exploitable memory-safety bug in SQLite [1]. In early 2025, Microsoft's Security Copilot uncovered 20 CVEs across GRUB2, U-Boot, and Barebox bootloaders [2]. AI-guided fuzz targets in Google's OSS-Fuzz discovered a two-decade-old vulnerability in OpenSSL [3].

This post surveys the research-backed techniques behind these discoveries and provides a practical framework for incorporating AI into your own vulnerability research workflow.

LLM-Assisted Code Auditing

The most direct application of AI to CVE hunting is using large language models to review source code or binaries for vulnerabilities — essentially automating parts of manual code audit.

Google Big Sleep (Project Naptime)

Google's Project Zero and DeepMind developed Big Sleep, an LLM-based agent that simulates a vulnerability researcher. The agent has access to a code browser, Python scripting environment, a debugger, and a structured reporter tool. It iteratively reads code, forms hypotheses about potential vulnerabilities, and writes test cases to confirm them [1].

Big Sleep discovered a stack buffer underflow in SQLite's seriesBestIndex function. The bug was reported and fixed the same day. A second discovery was assigned CVE-2025-6965 (CVSS 7.2), a memory corruption flaw in SQLite versions prior to 3.50.2 [1].

Microsoft Security Copilot on Bootloaders

Microsoft's threat intelligence team used Security Copilot to audit open-source bootloader code, discovering 20 previously unknown vulnerabilities: 11 in GRUB2, 4 in U-Boot, and 5 in Barebox. These affect systems relying on UEFI Secure Boot across all major operating systems. Microsoft reported that AI saved approximately one week of manual review time compared to traditional audit methods [2].

Binary-Level Analysis with LATTE

Not all vulnerability research has access to source code. LATTE (LLM-Assisted Binary Taint Analysis) applies LLMs to automated static analysis of compiled binaries. The system identified 37 previously undetected bugs in real-world firmware, with 7 receiving CVE designations — demonstrating that AI-assisted auditing extends beyond source code to compiled artifacts and embedded systems [4].

RAG-Enhanced Detection

Vul-RAG takes a different approach by augmenting LLM vulnerability detection with retrieval-augmented generation. Rather than relying on the model's parametric knowledge alone, it retrieves structured vulnerability knowledge — root causes, fix patterns, and contextual information — from a curated knowledge base. This improves detection accuracy over both fine-tuned models and vanilla LLM prompting [5].

AI-Guided Fuzzing

Fuzzing remains one of the most productive techniques for finding memory corruption and logic bugs. AI is transforming fuzzing in two ways: generating smarter inputs and expanding the attack surface that fuzzers can reach.

Google OSS-Fuzz with AI-Generated Targets

Google integrated AI-generated fuzz targets into its OSS-Fuzz infrastructure, using code generation models to write fuzzing harnesses for 272 C/C++ projects. This added over 370,000 lines of new fuzzing code and discovered 26 vulnerabilities, including CVE-2024-9143 — an out-of-bounds memory write in OpenSSL that had been present for roughly two decades. Human-written fuzz targets had never reached the vulnerable code path [3].

KernelGPT — LLM Meets Kernel Fuzzing

KernelGPT uses LLMs to automatically generate and iteratively repair system call specifications (syzlang) for the kernel fuzzer Syzkaller. Traditionally, writing these specifications requires deep kernel expertise and is a major bottleneck. KernelGPT discovered 24 new unique bugs in the Linux kernel, with 11 assigned CVE numbers and 12 bugs fixed upstream. Several generated specifications were merged into the Syzkaller project [6].

Fuzz4All — Universal LLM-Based Fuzzing

Fuzz4All is the first universal fuzzer that uses LLMs as both input generation and mutation engines. Using a novel autoprompting technique, it was evaluated across 9 systems in 6 languages (C, C++, Go, SMT2, Java, Python). It discovered 98 bugs in GCC, Clang, Z3, CVC5, OpenJDK, and Qiskit, with 64 confirmed as previously unknown — achieving a 36.8% average coverage increase over language-specific fuzzers [7].

CovRL — Reinforcement Learning Meets LLM Fuzzing

CovRL combines LLM-based mutation with reinforcement learning guided by code coverage. Applied to JavaScript engines, it discovered 48 real-world security-related bugs, including 39 previously unknown vulnerabilities and 11 CVEs [8].

Prompt Injection as a CVE Vector

As LLM-integrated applications proliferate, prompt injection has emerged as a recognized vulnerability class — analogous to SQL injection a generation ago.

The foundational paper by Greshake et al. established the taxonomy of indirect prompt injection, where adversaries inject malicious instructions into data sources that LLM-integrated applications retrieve. The paper demonstrated practical attacks against Bing's GPT-4 Chat and code-completion tools, including data exfiltration and self-propagating behavior [9].

Automated techniques for discovering these vulnerabilities have advanced rapidly. Zou et al. developed gradient-based search methods for adversarial suffixes that bypass LLM safety alignment, with attack transferability across models [10]. Mehrotra et al. introduced Tree of Attacks (TAP), an automated black-box jailbreaking method achieving over 80% success against GPT-4-Turbo using only API access [11].

The DARPA AIxCC Program

The largest institutional investment in AI-powered vulnerability research is DARPA's AI Cyber Challenge (AIxCC), a $29.5 million competition for autonomous cyber reasoning systems. At the semifinal (DEF CON 2024), competitor systems discovered 22 synthetic vulnerabilities and 1 real-world SQLite bug. At the final (DEF CON 2025), detection rates rose to 86% (up from 37%) with 68% of vulnerabilities automatically patched (up from 25%). All finalist systems have been released as open source [12].

Building Your Own AI-Augmented CVE Workflow

Based on the research above, here is a practical framework:

1. Start with LLM-assisted code review. Use an LLM to review targeted code sections — focus on parsers, memory management, authentication flows, and input validation. Structure your prompts to ask about specific vulnerability classes (buffer overflows, use-after-free, integer overflows, injection flaws) rather than generic "find bugs" requests.

2. Integrate AI with your fuzzing pipeline. Use LLMs to generate fuzz harnesses for untested code paths (following the OSS-Fuzz approach [3]). Have the model analyze code to identify promising fuzzing entry points and write seed inputs that exercise complex protocol logic.

3. Automate triage with AI. Use models to analyze crash reports, deduplicate findings, and assess exploitability — reducing the manual effort of sorting through fuzzer output.

4. Practice responsible disclosure. AI may accelerate discovery, but disclosure obligations remain unchanged. Report through vendor security channels, allow standard remediation timelines, and follow coordinated disclosure practices.

5. Write quality CVE reports. Include clear reproduction steps, root cause analysis, and impact assessment. AI-generated findings still require human verification before reporting.

Summary of AI-Discovered CVEs

References

1. Big Sleep Team. "From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code." Google Project Zero Blog, October 2024. https://projectzero.google/2024/10/from-naptime-to-big-sleep.html

2. Microsoft Threat Intelligence. "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." Microsoft Security Blog, March 2025. https://www.microsoft.com/en-us/security/blog/2025/03/31/analyzing-open-source-bootloaders-finding-vulnerabilities-faster-with-ai/

3. Google Security Team. "Leveling Up Fuzzing: Finding more vulnerabilities with AI." Google Security Blog, November 2024. https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html

4. Liu, P., Sun, C., Zheng, Y. et al. "Harnessing the Power of LLM to Support Binary Taint Analysis." ACM Transactions on Software Engineering and Methodology, 2025. arXiv:2310.08275

5. Du, X., Zheng, G., Wang, K. et al. "Vul-RAG: Enhancing LLM-based Vulnerability Detection via Knowledge-level RAG." arXiv:2406.11147, 2024. https://arxiv.org/abs/2406.11147

6. Yang, C., Zhao, Z., Zhang, L. "KernelGPT: Enhanced Kernel Fuzzing via Large Language Models." ASPLOS 2025. arXiv:2401.00563

7. Xia, C.S., Paltenghi, M., Tian, J.L., Pradel, M., Zhang, L. "Fuzz4All: Universal Fuzzing with Large Language Models." ICSE 2024. arXiv:2308.04748

8. Eom, J., Jeong, S., Kwon, T. "CovRL: Fuzzing JavaScript Engines with Coverage-Guided Reinforcement Learning for LLM-based Mutation." arXiv:2402.12222, 2024. https://arxiv.org/abs/2402.12222

9. Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. "Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection." AISec 2023 at ACM CCS. arXiv:2302.12173

10. Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J.Z., Fredrikson, M. "Universal and Transferable Adversarial Attacks on Aligned Language Models." arXiv:2307.15043, 2023. https://arxiv.org/abs/2307.15043

11. Mehrotra, A., Zampetakis, M., Kassianik, P., Nelson, B., Anderson, H., Singer, Y., Karbasi, A. "Tree of Attacks: Jailbreaking Black-Box LLMs Automatically." NeurIPS 2024. arXiv:2312.02119

12. Zhang, C., Park, Y., Fleischer, F. et al. "SoK: DARPA's AI Cyber Challenge (AIxCC): Competition Design, Architectures, and Lessons Learned." arXiv:2602.07666, 2026. https://arxiv.org/abs/2602.07666