Linus Torvalds: AI Tools Boost Linux Kernel Commits by Roughly 20% but Flood Security Lists

At the Linux Foundation’s Open Source Summit North America on May 20, 2026, Linus Torvalds said modern AI coding tools have materially increased activity on the Linux kernel while creating new security — management headaches. Speaking in conversation with kernel maintainer Dirk Hohndel, Torvalds called the tools “a great tool” rather than a wholesale replacement for programmers and said the surge in automated output has forced changes to how maintainers handle vulnerability reports. The shift matters because maintainers now face heavier triage burdens and must revise disclosure practices to match the scale of AI-generated findings.

Torvalds traced the recent change to a break in a roughly 20‑year stable release pattern that followed the project’s switch to Git. About six months ago, he said, AI tools matured enough to alter developer behavior, producing a noticeable uptick in contributions. He estimated that the last two kernel releases contained roughly 20% more commits than previous releases and confessed he initially misread the increase as excitement over a major version change before concluding the tooling itself was driving the effect.

Both Torvalds and Hohndel noted the new tooling lowers the barrier to entry for contributors and can accomplish “a big chunk of the work.” Torvalds emphasized that the real impacts are often social and procedural: beyond raw code changes, AI shifts how people collaborate, submit patches and perform code review, which creates new friction points in large open‑source projects that long predated the tools themselves.

An immediate operational problem has been security noise. Torvalds said the kernel’s small, confidential security mailing list was recently overrun with duplicate bug reports generated by AI, creating a significant triage burden as maintainers forwarded many of those findings to the developers responsible for affected areas. In response he announced new AI‑related disclosure guidance: if a security issue was discovered using AI, treat it as effectively public, since many others are likely to have found it the same way.

He also urged restraint around publishing working exploits, advising researchers to avoid releasing exploit code that publicly demonstrates vulnerabilities. Torvalds linked the disclosure shift to broader ecosystem changes: historically, the kernel community would quietly notify distributions, but the scale and public nature of AI‑generated findings means maintainers, distributions and researchers must adapt triage, disclosure and remediation processes. He reiterated his view that, while AI will change workflows and productivity, it will not eliminate the need for skilled programmers.