Source URL: https://simonwillison.net/2025/May/24/sean-heelan/
Source: Simon Willison’s Weblog
Title: Quoting Sean Heelan
Feedly Summary: The vulnerability [o3] found is CVE-2025-37899 (fix here), a use-after-free in the handler for the SMB ‘logoff’ command. Understanding the vulnerability requires reasoning about concurrent connections to the server, and how they may share various objects in specific circumstances. o3 was able to comprehend this and spot a location where a particular object that is not referenced counted is freed while still being accessible by another thread. As far as I’m aware, this is the first public discussion of a vulnerability of that nature being found by a LLM.
Before I get into the technical details, the main takeaway from this post is this: with o3 LLMs have made a leap forward in their ability to reason about code, and if you work in vulnerability research you should start paying close attention. If you’re an expert-level vulnerability researcher or exploit developer the machines aren’t about to replace you. In fact, it is quite the opposite: they are now at a stage where they can make you significantly more efficient and effective. If you have a problem that can be represented in fewer than 10k lines of code there is a reasonable chance o3 can either solve it, or help you solve it.
[…] You can find the system prompt and the other information I provided to the LLM in the .prompt files in this Github repository.
— Sean Heelan
Tags: llm-reasoning, security, generative-ai, openai, o3, ai, llms
AI Summary and Description: Yes
Summary: The text discusses a significant vulnerability (CVE-2025-37899) discovered using an LLM (likely referring to a language model from OpenAI). It highlights advancements in LLMs’ capability to reason about code, particularly in the context of vulnerability research, which should prompt practitioners in the field to take notice of these developments.
Detailed Description: The discussion revolves around the discovery of a use-after-free vulnerability related to the SMB protocol, specifically during the handling of the ‘logoff’ command. The insights provided by the LLM underscore its burgeoning abilities in the realm of security and vulnerability analysis. The following key points emerge from the text:
– **Vulnerability Identification**:
– The vulnerability CVE-2025-37899 exemplifies a concurrency issue where an object is improperly de-referenced while still being accessed, likely leading to exploitation opportunities.
– **LLM Capabilities**:
– This represents a notable advancement in LLMs’ understanding of programming issues, particularly those associated with security vulnerabilities.
– The author notes that this is potentially the first time an LLM has engaged in reasoning about vulnerabilities of this nature, setting a precedent in the field.
– **Implications for Vulnerability Researchers**:
– The author urges vulnerability researchers to acknowledge how LLMs can enhance their workflows, potentially increasing efficiency and effectiveness.
– There is an assertion that rather than replacing researchers, LLMs can significantly assist them, especially when tackling problems encapsulated in manageable code sizes (fewer than 10,000 lines).
– **Call to Action**:
– Professionals in the field are encouraged to integrate these advancements into their research methodologies, leveraging the powerful reasoning capabilities of LLMs to potentially expedite the search for security vulnerabilities.
– **Further Information**:
– Additional insights and data (like the prompt files used) can be found in a linked GitHub repository, indicating a transparent approach to sharing methods used in the discovery.
Overall, the text reveals a pivotal moment in the intersection of AI and security, particularly within vulnerability analysis, signifying a shift in how professionals may approach their work with the assistance of advanced language models.