- AISLE AI toolset exposed OpenSSL vulnerabilities dating back to earliest HTTPS era
- Even heavily audited security code can hide serious flaws for decades
- Crashes and memory corruption remain common failure modes in cryptographic software
OpenSSL is one of the most widely used cryptographic libraries today and forms the basis of HTTPS and encrypted communications on the Internet.
Despite decades of review, testing, and community scrutiny, a coordinated release in January 2026 addressed twelve previously undisclosed vulnerabilities.
These issues ranged from high and moderate severity flaws to a broader set of lower severity issues involving crashes, memory management errors, and encryption weaknesses.
Some of these failures have persisted since 1998, highlighting the limits of human review even on highly scrutinized projects.
AISLE’s AI toolset used contextual detection to analyze OpenSSL code, assign priority scores to potential threats, and reduce false positives.
The autonomous system identified all twelve known CVEs and also detected six additional issues before their public disclosure.
The most serious issue, CVE-2025-15467, involved a stack buffer overflow in CMS AuthEnvelopedData parsing, which under restricted conditions could allow remote code execution.
A related but less severe flaw, CVE-2025-11187, arose from a lack of parameter validation in the handling of PKCS#12 and created a path to a stack-based buffer overflow with no guaranteed exploitability.
Several vulnerabilities caused denial of service conditions via crashes or resource exhaustion rather than direct code execution.
CVE-2025-15468 triggered failures during QUIC encryption handling, CVE-2025-69420 affected verification of the TimeStamp response, and CVE-2025-69421 caused failures during PKCS#12 decryption.
Similar crash behavior appeared in CVE-2026-22795, which linked to PKCS#12 parsing, and CVE-2026-22796, which broke PKCS#7 signature verification in legacy code paths.
Errors in memory management formed another group of problems.
CVE-2025-66199 allowed memory exhaustion via TLS 1.3 certificate compression, which could degrade system availability.
CVE-2025-68160 exposed memory corruption in the line buffer logic and affected versions dating back to OpenSSL 1.0.2.
A separate flaw, identified as CVE-2025-69419, involved memory corruption related to PKCS#12 character encoding, although not all vulnerabilities caused immediate crashes or visible crashes.
CVE-2025-15469 introduced silent truncation in the handling of post-quantum ML-DSA signatures, which compromised cryptographic correctness without obvious runtime errors.
CVE-2025-69418 affected the OCB encryption mode in hardware-accelerated paths and could weaken encryption guarantees in specific configurations.
These discoveries show that AI tools can operate continuously, examine all code paths at scale, and avoid limits related to time, attention, or code complexity.
Traditional static analysis tools often miss complex logical errors or time-dependent vulnerabilities, while autonomous analysis can uncover subtle flaws.
By integrating directly into development workflows, the process resolved these findings before they impacted end users and demonstrated a level of coverage and speed far beyond manual review.
Working with OpenSSL maintainers, the AI-assisted process also recommended fixes, and maintainers adopted some directly into the OpenSSL code.
This shows that AI does not replace human expertise, but rather accelerates detection and remediation processes.
Endpoint protection measures and malware removal strategies can benefit from similar AI-powered approaches to identify hidden threats before deployment.
AISLE’s findings suggest that AI can shift cybersecurity from reactive patching to proactive protection.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
