Skip to content
AI Security Wire

Published

- 5 min read

By

OpenAI Daybreak: Defensive AI Finds Flaws in Linux, Firefox, FreeBSD

img of OpenAI Daybreak: Defensive AI Finds Flaws in Linux, Firefox, FreeBSD

OpenAI’s Daybreak program has been running for less than two months, and the results are hard to ignore. The GPT-5.5-Cyber model found a 23-year-old bug in OpenBSD. It identified a Firefox WebAssembly vulnerability that caused five of the six registered Firefox entries to withdraw from Pwn2Own Berlin before the competition started. Across the Linux kernel — more than 30 million lines of code — it generated 24 local privilege escalation proof-of-concepts and 8 kernel pointer information leaks. Trail of Bits, working with the model through the Patch the Planet initiative, filed 51 issues and 64 pull requests in the first week of operation, with 37 PRs already merged by participating open-source maintainers.

This is the most significant deployment of AI for defensive security research to date. It is also a meaningful dual-use story that the security community is still working out how to think about.

What Daybreak Actually Is

OpenAI launched Daybreak on May 12, 2026, describing it as a program that combines frontier cyber models, its Codex Security tooling, and an access control layer called Trusted Access for Cyber. The full version of GPT-5.5-Cyber launched June 22. It is not generally available. Access is restricted to verified defenders, which currently means security teams and research organisations that have passed OpenAI’s vetting process.

The program has four practical components. GPT-5.5-Cyber is the core model for vulnerability discovery and analysis. Codex Security integrates into developer workflows for scanning and patch suggestions. Patch the Planet, built in collaboration with Trail of Bits and HackerOne, connects the AI’s findings to open-source maintainers who can action fixes. Trusted Access for Cyber is the governance layer that controls who gets what.

The benchmark numbers are credible. On CyberGym, which tests whether a model can reproduce known vulnerabilities in controlled environments, GPT-5.5-Cyber scores 85.6%, up from 81.8% for base GPT-5.5. On SEC-bench Pro, measuring long-horizon discovery and proof-of-concept generation, it scores 69.8%. These are not paper benchmarks — they measure actual exploitation mechanics.

The Vulnerability Haul

The scale of what Daybreak has found in a short time reflects what happens when you run a capable reasoning model over millions of lines of code that human researchers have examined incrementally over decades.

The OpenBSD finding is the headline case. A use-after-free in System V semaphore handling had been sitting in the codebase for 23 years, unexploited, exploitable for local privilege escalation to root. Not because anyone was hiding it — because finding it required a kind of systematic, non-fatiguing analysis that human researchers doing code review can’t consistently sustain across that volume of code.

CVE-2026-8390 in Firefox is the most operationally significant finding. A WebAssembly use-after-free, patched in Firefox 150.0.3, was identified during safety evaluations before Pwn2Own Berlin. When Mozilla patched it, five of the six registered Firefox entries withdrew — which implies those teams had independently found the same bug and had it as their planned attack vector. AI found it first, by days.

The dnsmasq findings (CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-5172) are notable for a different reason: dnsmasq is embedded in a huge range of Linux distributions, home routers, and embedded systems. Vulnerabilities there have broad surface area even if individual exploitation is non-trivial.

The HTTP/2 “Bomb” DoS finding affects NGINX, Apache, IIS, and Cloudflare’s Pingora. Approximately 880,000 websites were assessed as exposed at the time of discovery.

The Dual-Use Concern

OpenAI publishes ExploitGym scores alongside the defensive benchmarks, and the number deserves attention. GPT-5.5-Cyber scores 39.5% on ExploitGym — the benchmark that measures whether a model can convert a known vulnerability into a working exploit. For context, 25.95% is the GPT-5.5 baseline.

A 39.5% success rate at exploit generation is not theoretical. It means a significant fraction of the vulnerabilities the model finds, it can also weaponise. OpenAI’s mitigating argument is that the model is only available to verified defenders through controlled access. That is a meaningful control. It is also a control that depends on OpenAI maintaining it correctly and indefinitely.

The Five Eyes advisory from earlier this year warned that “frontier AI models are changing cyber risk on a timeline measured in months, not years.” Daybreak is a direct illustration of that dynamic: the same model capability that lets defenders scan 30 million lines of Linux code in days also brings exploit development within reach for whoever holds it.

Open-source maintainers participating in Patch the Planet get the benefits without needing access to GPT-5.5-Cyber directly. Projects enrolled include cURL, Go, Python, the Go project, NATS Server, aiohttp, Sigstore, and pyca/cryptography. Trail of Bits handles the AI-assisted discovery and brings validated findings to maintainers in a format they can action.

What It Changes for Defenders

The honest assessment is that Daybreak is the first AI security program that has produced verifiable, large-scale results against real infrastructure. The limitations OpenAI identifies are real: false positives overload maintainers, symptom patching misses root causes, exploitability claims can outrun actual reachability. These aren’t hypothetical concerns — they are failure modes that Trail of Bits encountered in the first week.

But 37 merged pull requests in the first week of a programme that targets critical open-source infrastructure represents a rate of defender-side progress that didn’t exist before. The question the security industry now has to answer is whether that progress is keeping pace with the same models being used offensively. Daybreak is evidence that the defensive application is real and working. Whether it is enough depends on access staying controlled and the programme scaling faster than the threat.

References

Frequently Asked Questions

What is OpenAI Daybreak and GPT-5.5-Cyber?
Daybreak is OpenAI's defensive cybersecurity program, launched May 12, 2026. GPT-5.5-Cyber is the purpose-built security model at its center, released in full on June 22. It is not publicly available — access is restricted to verified defenders through a Trusted Access for Cyber framework. On the CyberGym benchmark (reproducing known vulnerabilities), it scores 85.6%, versus 81.8% for base GPT-5.5.
What specific vulnerabilities has Daybreak found?
Across the first weeks of operation: 8 kernel pointer information-leak proof-of-concepts and 24 local privilege escalation exploits in the Linux kernel (over 30 million lines of code scanned); 34 confirmed vulnerabilities with 7 LPE PoCs in FreeBSD; a 23-year-old use-after-free in OpenBSD's System V semaphore handling; CVE-2026-8390 in Firefox WebAssembly; four dnsmasq CVEs (CVE-2026-4890 through CVE-2026-4892, CVE-2026-5172); an HTTP/2 DoS affecting NGINX, Apache, IIS and Pingora; and more than 15 exploitable bugs across Chrome V8 and Safari WebKit.
Is there a dual-use risk from GPT-5.5-Cyber?
Yes, and OpenAI acknowledges it. The same model that finds and patches vulnerabilities for defenders scores 39.5% on ExploitGym, the benchmark measuring whether an AI can convert a known vulnerability into a working exploit. That is a meaningful capability. OpenAI limits access to verified defenders and maintains Trusted Access for Cyber controls specifically to manage this risk — but the capability exists in the model regardless of who holds it.