What it is
Xint Code is Theori’s AI-assisted security research tool. Theori publicly announced Xint Code in December 2025 after ZeroDay Cloud results involving Redis, PostgreSQL, and MariaDB. The later public CopyFail write-up describes a workflow where a researcher identifies an attack surface and an operator prompt gives the system context for an automated code scan.
In the CopyFail case, the target was the Linux crypto/ subsystem and the key
human-provided observation was that splice() can deliver page-cache references
from read-only files into crypto transmit scatterlists.
The public record is broader than CopyFail. Theori’s Xint public bug tracker listed 50 Xint tracker findings on May 5, 2026, including eight CVE-backed entries. Bugflation indexes CopyFail separately and groups the seven non-CopyFail CVE-backed tracker entries in a second cluster. Embargoed and tracker-only rows are treated as context until enough public source material exists to evaluate them individually.
What is verified
For CopyFail, the public evidence chain is strong:
- The Xint/Theori write-up directly describes Xint Code’s role.
- The CopyFail landing page links the finding to Xint Code.
- The Linux kernel fix credits Theori researcher Taeyang Lee.
- NVD records CVE-2026-31431 with kernel.org’s high severity score.
- The public repository contains the CopyFail PoC and affected distribution testing notes.
For the broader tracker, the evidence is mixed and labeled accordingly:
- The tracker itself is the source for Xint Code attribution.
- Seven non-CopyFail entries include CVE IDs and upstream or advisory links.
- Several tracker rows remain embargoed or intentionally restricted.
- Bugflation does not count embargoed rows as fully auditable findings.
Why it matters
CopyFail is not a generic “AI found a bug” story. It is a concrete example of a human-in-the-loop AI audit that starts from expert intuition and produces a high-impact kernel vulnerability in a mature subsystem.
The tracker changes the framing: Xint Code is not a one-finding system. It is a publicly visible stream of AI-attributed vulnerability research with different levels of corroboration. The right ledger treatment is to show the breadth while keeping CVE-backed, embargoed, and self-reported evidence separate.