AI Tools Flood Linux Maintainers with Duplicate Vulnerability Reports

Linux kernel maintainers have encountered an unexpected problem: AI tools designed to find vulnerabilities generate such a volume of bug reports that volunteers simply cannot process them in time. Thousands of duplicates and low-quality reports paralyze work on real security issues.

Scale of the Surge

The wave of automatic reports grows every week. AI tools trained on source code scan Linux for potential vulnerabilities and automatically create bug reports. The problem is that algorithms generate multiple duplicates of the same issue—from different tools, in different formats, with varying levels of detail.

Maintainers are mostly volunteers working in their spare time. Each report needs to be read, understood, tested for reproducibility, and assessed whether it is a real vulnerability or a false positive. When reports number in the hundreds per day, the process freezes.

Why AI Creates Noise

Over the past two years, LLM models like ChatGPT, Deepseek, and Claude have become more accessible and powerful. Enthusiasts and companies have launched automated vulnerability scanners based on these models. On paper, this sounds useful—additional eyes on the code. In practice, it creates an information overload problem.

AI often flags code that looks suspicious but is actually safe in the context of Linux. Models don't always understand the kernel's specifics, security architecture, and existing protections. The result is hundreds of 'findings' that turn out to be useless.

Consequences Are Already Visible

The influx of noisy reports is impacting the development process:

• Real critical vulnerabilities get lost in the flood of duplicates and false positives
• Maintainers are forced to spend time sorting instead of coding
• Some volunteers are threatening to leave the project due to burnout
• The speed of patching real problems slows down
• The review process becomes more exhausting and slower

Developers have proposed creating a separate filter or quarantine for AI reports to physically separate them from human reports.

What This Means

Paradox: tools that should improve security are actually hindering it. AI is useful for finding patterns but requires human filtering and contextual understanding. The Linux community may face a choice: either close bug tracking to automated tools or create a procedure for verifying reports before publication.