- Security researcher Hung Nguyen used a single-line prompt to get Claude to discover a critical zero-day RCE vulnerability in Vim (CVE-2026-34714, CVSS 9.2), which was patched in Vim 9.2.0272.
- Claude found a second RCE in GNU Emacs tied to its Git integration — a flaw dating to 2018 that Emacs maintainers declined to fix, blaming Git.
- The discoveries launched MAD Bugs: Month of AI-Discovered Bugs, a Calif initiative publishing AI-found vulnerabilities and full proof-of-concept exploits throughout April 2026.
- AI is now finding real, exploitable zero-day vulnerabilities in production software with minimal human direction, reshaping what offensive security research looks like.
What Happened
In late March 2026, Hung Nguyen, a researcher at cybersecurity firm Calif, sat down with Claude and typed a single prompt: “Somebody told me there is an RCE 0-day when you open a file. Find it.” The target was Vim, the text editor installed on virtually every Unix-like system on the planet.
Within two minutes, Claude had identified the bug. It was not a guess or a false positive. It was a real, exploitable remote code execution vulnerability that had survived in Vim’s codebase undetected.
Nguyen reported the issue to Vim’s maintainers, who confirmed it and shipped a fix. Then, almost as a joke, the team pointed Claude at Emacs. Claude found an RCE there too. The Emacs maintainers declined to patch it, saying Git was responsible. With two zero-days in two of the world’s most battle-tested text editors, Calif announced a month-long initiative: MAD Bugs: Month of AI-Discovered Bugs.
Why It Matters
Vim has been in active development since 1991. Emacs predates it by over a decade, with roots going back to 1976. These are not obscure weekend projects — they are foundational tools with decades of expert code review, fuzzing, and public scrutiny behind them. The fact that an AI found a critical RCE in both, in under an afternoon, is not a minor footnote.
Researchers and security teams have long speculated about when AI would move beyond pattern-matching on known vulnerability classes and start discovering genuinely novel flaws in mature, well-audited codebases. That transition appears to be underway. As BleepingComputer reported, both bugs trigger on file open — meaning a victim needs only to open a file to have arbitrary code executed on their machine.
The MAD Bugs initiative makes the stakes concrete. Calif is not keeping these findings private. Full security advisories and proof-of-concept exploits are being published. The message is direct: if a researcher can do this with a consumer AI model and a vague one-line prompt, anyone with similar access can too.
Technical Details
Vim (CVE-2026-34714, CVSS 9.2): Claude identified missing security flags — specifically the P_MLE and P_SECURE checks — in Vim’s tabpanel sidebar feature, which was introduced in 2025. The flaw allowed a malicious modeline inside a crafted file to inject an expression via %{expr} syntax without requiring the modelineexpr setting to be enabled. Modelines are metadata lines in files that tell Vim how to configure itself when opening them. An attacker could craft a file — including a markdown document — that silently executes arbitrary commands the moment a user opens it in Vim. The Vim maintainers patched the issue in version 9.2.0272. All versions from 9.1.1390 onward and prior to 9.2.0272 are affected.
GNU Emacs (unpatched): Claude found a separate RCE rooted in how Emacs interacts with Git, tracing back to 2018. The attack chain works like this: a victim extracts a compressed archive and opens a seemingly ordinary text file inside it. In the background, Emacs triggers Git operations, which can execute arbitrary commands via a user-controlled core.fsmonitor configuration value. No additional permissions are required. Emacs maintainers were notified on March 28, 2026. On March 30, they declined to patch it, stating the root cause was Git’s behavior, not Emacs. As of publication, the vulnerability remains unpatched in GNU Emacs. VPN Central notes that assigning blame to Git does not reduce the risk to Emacs users, since the exploit path runs directly through the editor.
Who’s Affected
Vim users running versions between 9.1.1390 and 9.2.0271 inclusive are vulnerable and should update to 9.2.0272 or later immediately. The Vim fix is available now and the upgrade path is straightforward.
GNU Emacs users face a more complicated situation. Because maintainers have declined to patch the issue, there is no official fix available. Users who regularly open files from untrusted sources — downloaded archives, files from strangers, content pulled from the web — are at material risk. Disabling Git integration within Emacs or auditing the core.fsmonitor setting in local Git configurations are possible mitigations, though neither is officially sanctioned guidance.
The exposure is broad. Vim and Emacs are default or commonly installed editors on Linux servers, developer workstations, and embedded systems across the world. Both are widely used in professional software development, academic computing, and systems administration. CSO Online points out that the file-open trigger makes social engineering attacks — sending a crafted file and asking someone to review it — a realistic delivery mechanism.
What’s Next
MAD Bugs is just getting started. Calif has committed to publishing AI-discovered vulnerabilities throughout April 2026. The first post-Vim-and-Emacs release is already out: Claude wrote a full FreeBSD remote kernel RCE with root shell, assigned CVE-2026-4747. This is described by Calif as the first remote kernel exploit both discovered and written end-to-end by an AI.
The pace matters. Nicholas Carlini, a research scientist at Anthropic, separately demonstrated Claude finding a blind SQL injection in Ghost — a publishing platform with 50,000 GitHub stars — in ninety minutes, allowing unauthenticated users to compromise the admin database. Anthropic’s own red team has documented Claude identifying over 500 high-severity vulnerabilities in production open-source software in a single research sprint.
The dual-use tension is real. The same capability that helps defenders find and patch flaws before attackers can is also available to anyone with API access. Calif works with Anthropic and OpenAI on responsible disclosure, and the MAD Bugs initiative follows a coordinated disclosure model where vendors are notified before public release. But the Emacs situation shows the limits of that model when maintainers decline to act.
For security teams, the immediate steps are clear: patch Vim now, audit Emacs deployments, and monitor the MAD Bugs publication feed through April for additional disclosures. For the industry more broadly, the arrival of AI-driven zero-day discovery at this level of speed and accessibility is not a future scenario. It is the current operating environment.
