Context
Nicholas Carlini's [un]prompted 2026 talk revealed that Anthropic has "several hundred" unvalidated Linux kernel crashes. The bottleneck isn't finding bugs — it's validating them at scale.
pwnkit's triage pipeline (XGBoost router + oracle verification + PoV gate) is designed for web app findings. Extending it to kernel/binary crash reports would:
- Directly address the validation bottleneck Carlini described
- Position pwnkit as a research tool, not just a scanner
- Open a novel research direction (automated crash validation)
What to build
packages/core/src/ingest/kernel-crash.ts — parsers for:
- KASAN (heap-out-of-bounds, use-after-free, etc.)
- UBSAN (integer overflow, shift overflow, etc.)
- Kernel oops/panic (NULL deref, BUG(), etc.)
- Syzkaller C reproducers
- Generic crash reports (free-form text)
- Each parser extracts: crash type, faulting function, call stack, affected subsystem, reproducer (if present)
- Output: pwnkit
Finding with appropriate category, severity, evidence
Dependencies
none
Context
Nicholas Carlini's [un]prompted 2026 talk revealed that Anthropic has "several hundred" unvalidated Linux kernel crashes. The bottleneck isn't finding bugs — it's validating them at scale.
pwnkit's triage pipeline (XGBoost router + oracle verification + PoV gate) is designed for web app findings. Extending it to kernel/binary crash reports would:
What to build
packages/core/src/ingest/kernel-crash.ts— parsers for:Findingwith appropriate category, severity, evidenceDependencies
AttackCategoryvalues for memory corruption ([feat] Kernel crash verification oracle — QEMU-based crash reproduction #124)TriageLayerNamefor kernel oracle (fix: replace curl|bash nodesource with COPY --from=builder #125)none