
This was rapidly fastened and disclosed as ‘CVE-2026-34219′ with credit score to the staff. The broader concern, nonetheless, was separating the brokers’ actual bugs from those that have been confidently masquerading as such.
“The shock was how little of the work went into discovering them, and the way a lot went into telling the true bugs from those that simply appeared actual,” wrote Nikos Baxevanis, who authored the submit.
The issue began with what an agent produces. A fuzzer, the usual instrument that hurls malformed information at software program till one thing breaks, returned a crash and a file of the place it occurred, which an engineer can verify in minutes.
An agent, nonetheless, returns a created narrative. It traces how the flaw might be reached, argues why it issues, proposes a severity score and provides working code that demonstrates the assault. All of it arrives in fluent prose, studying the identical whether or not the bug is actual or invented.
Three sorts of false optimistic stored recurring, in response to the Basis.
The primary was a crash that solely happens in a check construct, the place the compiler switches on security checks that the shipped software program doesn’t carry, so nothing breaks for actual customers.
The second was an assault that solely works if the harmful worth is planted inside this system by hand, as a result of each route an outsider may take to ship it rejects the worth first. The third got here from formal verification, the observe of proving mathematically that code behaves appropriately, the place a proof handed by demonstrating one thing trivially true and instructed the reviewers nothing concerning the software program.

