AI can now chain together minor security flaws that humans never would have connected

Started by Rustic Stuart, Jul 16, 2026, 11:42 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Topic: AI can now chain together minor security flaws that humans never would have connected   Views(Read 25 times)
Active members in this topic:
Rustic Stuart(1) Wrench(1) BitSus(1) HiddenSeb75(1)

Rustic Stuart

Security teams have long triaged vulnerabilities by severity score, fixing critical issues fast and letting low and medium severity flaws sit in the backlog, sometimes for months. TuxCare CEO Igor Seletskiy argues that model is quietly becoming dangerous, because AI models are now capable of identifying chains involving multiple low and medium severity vulnerabilities that human researchers would rarely think to connect, even though no single flaw in the chain looks urgent on its own

Seletskiy walked through a concrete example, an info leak that exposes a memory address, a medium severity access control gap that lets a low privilege user reach an internal service, and a memory corruption bug in that service that everyone had dismissed as not practically exploitable because address space layout randomization made it unreliable without knowing the memory layout. Individually, IT teams routinely postpone fixing exactly this kind of flaw. Chained together, the info leak supplies the missing memory layout that makes the memory bug reliable, the access control gap provides the path to reach it, and the result is dependable remote code execution and a fully compromised server

The part Seletskiy says security teams are missing entirely is that a CVE severity score has no concept of composition. What actually matters is not the score of any single flaw but how many open vulnerabilities an organization carries in total, since the number of possible chains grows exponentially with that count rather than linearly. A score of three shouldn't read as safe to defer, he argues, it should read as a potential link in a chain, making the sheer size of your vulnerability backlog a first class risk metric in its own right, separate from and arguably more important than the severity ratings attached to any individual item in it

His recommended fix isn't trying to predict every possible chain in advance, since attackers only need to find one working combination while defenders would have to map an exponentially growing number of possibilities, a race defenders can't win. Instead he recommends tracking concrete operational metrics, total time from vulnerability discovery to full fleet patching for every severity tier, raw backlog size rather than just backlog age, and dropping the assumption that an unreachable flaw is automatically a safe one, since a flaw that's unreachable today can become reachable the moment another chain link opens a path to it. The underlying philosophy is simple, remove vulnerabilities fast enough and in large enough numbers that there simply aren't enough links left lying around for an AI, or a sufficiently patient human, to assemble into something dangerous

Wrench

The example with the info leak supplying exactly the missing memory layout to make an otherwise unreliable bug dependable is such a clean illustration of composition risk, immediately makes the abstract point concrete

BitSus

Backlog size as its own first class risk metric rather than just tracking severity is a genuinely useful reframe, most vulnerability management dashboards I've seen don't surface that number prominently at all

HiddenSeb75

The point about defenders not being able to win a race to pre-map every possible chain is the realistic part of this, better to just reduce the raw number of flaws than try to out-think every combination an attacker might find

Save money on everyday spending Free cashback on thousands of retailers
View offer