This was rapidly mounted and disclosed as ‘CVE-2026-34219′ with credit score to the workforce. The broader concern, nonetheless, was separating the brokers’ actual bugs from those that have been confidently masquerading as such.
“The shock was how little of the work went into discovering them, and the way a lot went into telling the true bugs from those that simply appeared actual,” wrote Nikos Baxevanis, who authored the publish.
The problem began with what an agent produces. A fuzzer, the usual device that hurls malformed knowledge at software program till one thing breaks, returned a crash and a report of the place it occurred, which an engineer can affirm in minutes.
An agent, nonetheless, returns a created narrative. It traces how the flaw could possibly be reached, argues why it issues, proposes a severity score and provides working code that demonstrates the assault. All of it arrives in fluent prose, studying the identical whether or not the bug is actual or invented.
Three sorts of false constructive saved recurring, in keeping with the Basis.
The primary was a crash that solely happens in a check construct, the place the compiler switches on security checks that the shipped software program doesn’t carry, so nothing breaks for actual customers.
The second was an assault that solely works if the damaging worth is planted inside this system by hand, as a result of each route an outsider might take to ship it rejects the worth first. The third got here from formal verification, the follow of proving mathematically that code behaves appropriately, the place a proof handed by demonstrating one thing trivially true and advised the reviewers nothing in regards to the software program.

