Linux kernel maintainer Linus Torvalds told the Linux Kernel Mailing List on 18 May 2026 that the volume of duplicate vulnerability reports generated by AI-powered bug-hunting tools has made the Linux security list “almost entirely unmanageable,” according to theregister.com.
Torvalds explained that multiple security researchers are running the same large-language-model scanners against the kernel source tree and filing near-identical reports for the same flaws. The resulting flood, he wrote, creates “unnecessary pain and pointless work” for maintainers who must triage, deduplicate and often reject the submissions. The problem has grown sharply since late 2025, when several commercial and open-source AI fuzzers became freely available, leading to a spike in low-signal traffic on the oss-security and linux-distros lists.
The overload comes at a sensitive time for Linux security. Google’s $10 million KernelCTF bounty and the OpenSSF’s Alpha-Omega grants have expanded the pool of paid bug hunters, while the EU’s Cyber Resilience Act will soon require faster patch turnaround. Red Hat, SUSE and Canonical all told The Register they are dedicating extra staff to triage queues, and the OpenSSF is drafting reporting templates to reduce duplicates. Similar surges hit the Chromium and Mozilla projects in 2024-25, prompting those teams to adopt automated deduplication bots that Linux has not yet deployed.
Torvalds asked researchers to coordinate through the newly created linux-security-coord list before filing reports and set a 1 June 2026 deadline for tool vendors to embed report-hashing that would auto-block repeats. Kernel 6.14-rc1, due mid-July, will ship with a new REPORTING-DUPLICATES file documenting the policy; maintainers say they will start rejecting unhashed AI reports after that cut-off.
ops.llm_calls. Every fact traces to a citation. If a fact looks wrong, write to corrections.