Will there be any more bugs to find after AI has fixed them all? AI-powered bug-fixing tools may introduce new vulnerabilities while patching existing ones, as a study shows LLMs often remove security safeguards when fixing bugs, potentially increasing the overall number of flaws. I can almost envision a future where AI eventually catches up to fixing the thousands of bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/ it finds on a daily basis as a result of AI-powered agents being used to find vulnerabilities now. It's clankered through the whole backlog, closed all the tickets faster than anyone could file them, and one day you wake up... and all the bugs are gone. No more crashes or weird edge cases, or RCE's hiding in some 15 year old core utility we've been using dependably for years... no more auth bypasses or injection bugs waiting to be found. If you're fixing bugs faster than you're making them, eventually you hit zero, right? not quite The thing that's fixing the bugs is also making more of them https://arxiv.org/abs/2211.03622 . Every fix is another change and every change is another chance to break something. A patch that fixes one vulnerability can introduce another. A refactor can weaken an access check. A new feature can expand the attack surface. AI just makes it easier to keep changing things. An LLM is asked to fix a bug where a user search query returns no results when the search term contains special characters. In "fixing" that, it removed parameterized queries and introduced a SQL injection vulnerability. --- a/app/routes/users.py +++ b/app/routes/users.py @@ -14,18 +14,15 @@ def search users : query = request.args.get "q", "" .strip if not query: return jsonify - BUG: searches with apostrophes e.g. "O'Brien" return 0 results - stmt = text - "SELECT id, name, email FROM users " - "WHERE name LIKE :pattern ESCAPE '\\'" - - pattern = "%" + query.replace "\\", "\\\\" .replace "%", "\\%" .replace " ", "\\ " + "%" - rows = db.session.execute stmt, {"pattern": pattern} .fetchall + FIX: properly handle special characters in search terms + sanitized = query.replace "'", "''" + rows = db.session.execute + text f"SELECT id, name, email FROM users WHERE name LIKE '%{sanitized}%'" + .fetchall return jsonify {"id": r.id, "name": r.name, "email": r.email} for r in rows The original code was probably fine. Parameterized queries already handle apostrophes, and the ESCAPE '\\' part was there for a reason and made sure stuff like % and in search terms stayed literal instead of turning into LIKE wildcards. Instead of finding the real issue, it removed the safety stuff and started building SQL with string interpolation. The replace "'", "''" change looks like a quick fix, but it’s not a real defense. It can still fail with weird encodings or database-specific escaping behavior like MySQL backslash escapes . It also killed the wildcard handling, so a search like 100% could now match basically everything. This is something LLM's do a lot https://aclanthology.org/2026.findings-acl.1118 . They see the most obvious problem and try to fix that, but in the process they end up removing safeguards that were there to prevent older bugs from coming back. Every time you fix a bug you touch the code. Touching the code means you might accidentally break something else. Security bugs are especially good at hiding in the regressions. The code still runs and all the original tests still pass, but at some point and for some reason, a permission check moved, or an assumption changed, or an input that used to be trusted isn't anymore. Now consider when making those changes becomes almost free. You don't make the same number of changes in less time. You make many more changes because you think you're fixing things that are broken. AI cranks out fixes in seconds. If every change carries with it some chance of introducing another bug, then making ten times as many changes creates a lot more opportunities for things to fall apart. Moral of the story: Don't you worry, I think there will be plenty of bugs to find even after AI has "fixed" them all.