Three Days. Two Billion Tokens. One Working Chrome Exploit.

A few days ago, Mohan Mohan from Hacktron ran a benchmark on the newest frontier models — GPT-5.6 Sol Medium, Sol Ultra, and Grok 4.5. He gave each one the V8 source tree and some recent security-fix commits. Then he let them loose.

An artistic photo representing artificial intelligence and the future of technology
Image: Elekes Andor via Wikimedia Commons (CC BY-SA 4.0)

What happened next is the kind of thing that keeps security engineers up at night.

Sol Ultra — the biggest variant of OpenAI’s latest model — took three days, consumed 2.1 billion tokens across 14,062 requests, spawned 74 sub-agents, burnt through $1,596.89 in compute, and delivered a full Chrome renderer exploit from start to finish. It read the patch diffs, reverse-engineered the vulnerabilities, chained them together, escaped the V8 sandbox, and popped a calculator on the screen. Grok 4.5 and Sol Medium both stalled at the cage primitives and never made it past sandbox escape.

Exploit development as we know it just changed forever.

The Numbers Tell the Story

Let me put those figures in perspective because the scale matters. Sol Ultra’s 2.1 billion tokens is roughly equivalent to reading War and Peace end-to-end 700 times. Its 74 sub-agents worked in parallel — the model kept spawning investigation threads and managing them like a project lead directing a team of junior researchers. The root agent alone handled 819.6 million input tokens and 2.02 million output tokens, while the sub-agents chewed through another 1.27 billion input tokens and 4.04 million output tokens.

The root agent went through 33 context compactions, reducing its active context from an average of 262,869 tokens down to 18,911 tokens each time — a 92.67% compression rate — without losing the thread of the investigation. That’s better context management than most human developers I’ve worked with.

Here’s what’s really wild: Grok 4.5 cost $76.62 and got stuck. Sol Medium cost $328.70 and also got stuck. Sol Ultra cost $1,596.89 and finished the whole chain. The difference wasn’t intelligence — it was the model’s ability to delegate, retry, and navigate the search tree without getting lost in rabbit holes.

What It Actually Built

The exploit chain is genuinely elegant. I won’t bore you with every technical detail — the full writeup is on Hacktron’s blog and it’s a fascinating read — but the architecture is worth understanding at a high level because it reveals how the model thinks.

Step 1: It exploited a Maglev type confusion bug (CVE-style, internal bug ID 523884658) where V8’s Maglev compiler inlined ArrayIterator.prototype.next() but didn’t re-check the array’s Map after a mutation. This gave it addrof and fakeobj primitives inside the V8 sandbox.

Step 2: Using those primitives, it forged a JSArray header inside a controlled double array and redirected its elements pointer to read and write anywhere inside the 4-GB pointer-compression cage.

Step 3: It expanded that 4-GB primitive to cover the full 1-TB V8 sandbox by corrupting DataView metadata — byte_length, max_byte_length, and the sandboxed backing-store pointer.

Step 4: It leaked native addresses through a String::VisitFlat vulnerability (a signed integer overflow in SlicedString offset accumulation) and used WebRTC transceivers as heap grooming anchors to scan for Chrome’s base address.

Step 5-9: It chained a NativeModule background-compiler use-after-free into a native OR primitive, redirected the Wasm Code Pointer Table, obtained a valid WCP entry, and achieved code execution.

Nine steps. One continuous thread of reasoning. No human intervention except the initial nudge to “go build this exploit.”

Why This Changes Everything

I’ve been writing about AI security tools for a while on this blog — from the three security warnings in one week to the mess of supply chain attacks. But this is different. Those were about AI as a target or AI as a defensive tool. This is about AI as an offensive weapon that weaponizes vulnerability patches at machine speed.

The core insight that shook me is this: every time a software vendor publishes a security patch, they’re effectively publishing a recipe for an exploit. The patch diff shows exactly what was vulnerable and how it was fixed. A human reverse-engineer can read that diff and build an exploit, but it takes days or weeks. Sol Ultra did it in three days — and that’s with the current generation of hardware and architecture. The next model will be faster.

As Linus Torvalds himself said just this week: “AI is a tool, just like other tools we use. And it’s clearly a useful one.” He was defending AI-generated patches in the Linux kernel. But the same tool that writes patches can weaponize them. That’s the double-edged sword we’re not ready for.

My Take as a Developer and Security Practitioner

I manage IT systems. I think about vulnerabilities and patch management constantly. And this story hits differently when you’ve lived through the reality of enterprise patching.

Here’s the thing that keeps running through my head: the internet is full of unpatched software. The average enterprise takes 15 to 30 days to deploy a critical security patch — if they’re on the ball. That’s 15 to 30 days where a model like Sol Ultra could be chewing through the patch diff, building a weaponized exploit, and deploying it before the first sysadmin has even tested the update in staging.

The patch gap — the window between when a fix ships and when it’s deployed everywhere — just shrank from weeks to days. Maybe hours.

And it’s not just Chrome. Mohan Mohan explicitly says the approach generalizes: “Whoever can throw enough tokens at a model at Sol Ultra’s level or above could write exploits for patches of almost any kind of software in no time.” Any kind. Your VPN software. Your database. Your email client. Your office suite. The firmware on your network switch.

Mohan also notes that human exploit developers aren’t obsolete — but their role changes. They become “meta prompters” and collaborators who explore the search tree together with the model. The judgment stays human. The grinding does not.

The Economics of AI-Powered Exploitation

This is where the conversation gets uncomfortable. Sol Ultra’s exploit cost $1,596.89 in compute. That’s affordable for a state-sponsored APT, a well-funded ransomware group, or even a motivated individual with a stolen credit card. And the cost trajectory is dropping every quarter as model efficiency improves and inference hardware gets cheaper. The economics of this shift are forcing organizations to rethink whether renting AI from big providers still makes sense.

Compare that to the cost of a human exploit developer: $150,000-$400,000 per year in salary, plus months of grinding through patch diffs and debugger sessions. The AI is already cheaper, faster, and more persistent — and the gap only widens from here.

This is also where the “defenders vs. attackers” asymmetry that security professionals have warned about for years finally tips. Defenders have to protect everything. Attackers only need one hole. AI makes finding that hole dramatically cheaper.

What This Means for the Rest of Us

I think there are three implications that matter for developers and IT professionals reading this:

First, patch faster. I know, easier said than done. But if your organization is taking weeks to deploy security updates, that timeline just became unacceptable. Automated patch management, zero-downtime deployment pipelines, and staged rollouts aren’t nice-to-haves anymore. They’re survival mechanisms.

Second, assume every vulnerability is already weaponized. The old calculus where you could deprioritize a moderate-severity bug because “nobody’s going to write an exploit for that” no longer applies. If the patch exists, a model can read it and build an exploit. Your risk assessment needs to factor that in.

Third, invest in detection, not just prevention. The “prevent all exploits” model was already broken. Now it’s dead. Defense-in-depth — endpoint detection, behavioral monitoring, network segmentation, least-privilege architecture — matters more than ever because the exploit is coming. The question is whether your detection and response can catch it before it does damage.

Bottom Line

I’ve been following AI’s progress in security for two years now — from vulnerability discovery benchmarks to automated patching. I wrote a post just last week about how Microsoft patched 622 flaws in one day and AI found most of them. The defensive side is moving fast. But this Sol Ultra result is the first time I’ve genuinely felt that the offensive side just leapfrogged everything.

Mohan ends his blog post with a chilling observation: the root agent’s architecture — a central investigator that delegates to sub-agents, manages context, and iterates toward a goal — is exactly the same shape that human-led exploit development will take. The human becomes the root agent, the LLM becomes the sub-agents. The grinding is automated. The judgment stays human, but the volume of work the machine can do in parallel is staggering.

We’re not talking about some hypothetical future where AI writes exploits. It happened last week. It cost sixteen hundred dollars. And it only gets cheaper from here.

What are you doing to close your patch gap?

0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Newest
Oldest Most Voted