www.it-connect.fr
Linus Torvalds Pushes Back as AI Bug Reports Overwhelm Linux Security Team
On Sunday, May 17, 2026, on the occasion of the release of the Linux 7.1-rc4 kernel, Linus Torvalds slammed his fist on the table. Why? The mailing list dedicated to Linux kernel security is starting to buckle under the weight of bug reports automated by artificial intelligence. The situation is alarming.
Linux kernel bugs: duplicates everywhere...
The massive use of AI tools for bug detection in the Linux kernel is making things complicated, even unmanageable, to borrow Linus Torvalds' words. Indeed, in the message accompanying the release of Linux 7.1-rc4, he states: "The relentless flood of AI-generated reports has made the security list effectively unmanageable, with huge redundancies because different people are identifying the same issues with the same tools. People are spending all their time just forwarding information to the right people or replying 'this was already fixed a week/a month ago' and pointing back to the public discussion.".
That sums up the situation quite well. Some people analyze the Linux kernel code, identify a security flaw, and assume it is unique. However, it is likely that someone else made the same discovery a few hours earlier... All of this creates duplicate, or even triplicate, reports.
Each researcher sends in a report, certainly thinking they are doing the right thing, but behind the scenes there are humans struggling. That is not surprising, since there have never been so many reports submitted, and the current model for handling them is no longer suitable.
As a result, a small number of mostly volunteer humans spend their time sorting through mountains of messages rather than focusing on the development of the Linux kernel itself.
New rules to follow
Willy Tarreau, a developer on the project, has updated the documentation associated with this new Linux kernel version. He added several sections and interesting details about the use of AI.
He explains that reports must be clear, concise, and above all verified on a real machine. It should not be theoretical, with the assumption that maintainers will carry out the necessary checks. In reality, the current problem is that some people submit bugs discovered by AI even though they do not even understand what they are doing...!
At present, there would be between 5 and 10 reports per day, whereas 2 years ago, it was 2 to 3 reports per week. "Many AI tools are actually better at writing code than evaluating it. Ask your tool to propose a fix and test it before reporting the issue. If the fix cannot be tested because it depends on rare hardware or practically extinct network protocols, it probably is not a security bug.", he says.
From now on, it is essential to follow the new rules described on this page of the official documentation. What Linus Torvalds is asking for is an engineering approach: read the documentation, analyze the context, and design a patch that adds real value beyond what the machine has done.
Finally, this phenomenon is not specific to the Linux kernel. Many open source projects are experiencing similar waves, while the use of AI has caused security flaw discovery to explode among many software vendors.
