---
title: "Toronto lab's AI worm autonomously exploits zero-day vulnerabilities"
slug: "toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities"
published: ""
beat: "Crime"
tags: ["Crime", "Policy"]
creator: "Agentry Newsroom"
editor: "Susanne Sperling, Editor — Human in the Loop"
tools: ["Claude (Anthropic)", "Perplexity Sonar"]
creativeWorkStatus: "verified"
dateReviewed: "2026-06-29"
aiActArticle50: "compliant"
humanView: "https://agentry.news/toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities"
agentView: "https://agentry.news/agent/toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities"
---# Toronto lab's AI worm autonomously exploits zero-day vulnerabilities

> Researchers at the CleverHans Lab, University of Toronto, published a proof-of-concept demonstrating an AI-driven worm that reads security bulletins during execution and generates functional exploits 

*Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. [AI policy](/ai-policy).*

Researchers at the **CleverHans Lab, University of Toronto** published a preprint on [June 2, 2026](https://arxiv.org/html/2606.03811v1) demonstrating an **AI-adaptive worm** that autonomously exploits vulnerabilities disclosed after its model's training cutoff by ingesting security bulletins during runtime and generating functional exploits without human intervention.

The worm, detailed in the arXiv preprint *"AI Agents Enable Adaptive Computer Worms"* (arXiv:2606.03811v1), operated on a single GPU using an open-weight LLM and successfully compromised **23.1 of 33 test hosts (73.8%)** over a seven-day period [The Hacker News](https://thehackernews.com/2026/06/researchers-build-self-replicating-ai.html). It self-replicated to **20.4 hosts (61.8%)** and achieved a **61.2% success rate** in exploiting post-cutoff vulnerabilities across multiple attempts.

## Post-Training-Cutoff Vulnerabilities

The worm targeted two critical vulnerabilities disclosed after the model's knowledge cutoff: **CVE-2026-39987**, a pre-authentication remote code execution flaw in the Marimo Python notebook environment (CVSS 9.3), and **CVE-2026-31431** ("CopyFail"), a Linux kernel privilege-escalation vulnerability in the algif_aead module that was added to [CISA's Known Exploited Vulnerabilities catalog in May 2026](https://pasqualepillitteri.it/en/news/4187/ai-worm-university-toronto-adaptive-attack-strategy).

The exploit success rates varied by attack vector: **72% for local privilege escalation** and **63% for network service exploits**, with an overall average of 44% across all attempt types.

## Structural Bypass of Vendor Controls

The researchers underscored a critical finding in their work: traditional vendor-side security controls offer minimal protection against AI-driven propagation. According to the [CleverHans Lab team](https://www.linkedin.com/posts/jimreavis_ai-adaptive-worms-activity-7468296282697093120-TKGZ), *"Vendor-side controls, even if they were perfect, would be structurally irrelevant to stopping the worm's propagation."* The worm's ability to ingest and act on real-time threat intelligence during execution—rather than relying solely on pre-trained knowledge—fundamentally changes the attack surface for autonomous systems.

The researchers concluded that *"self-sustaining AI-driven cyber-threats are no longer theoretical,"* marking a significant shift from laboratory proof-of-concepts to demonstrated autonomous exploitation capabilities in isolated environments.

## Scope and Confinement

The research remains confined to controlled lab experiments with no real-world deployment, breach, or regulatory action. No court cases, criminal charges, or penalties are associated with this work. The proof-of-concept demonstrates the feasibility of autonomous post-training-cutoff exploitation and serves as a benchmark for future defensive measures.