- AISLE AI toolset exposed OpenSSL vulnerabilities stretching back to the earliest HTTPS era
- Even heavily audited security code can hide serious flaws for decades
- Crashes and memory corruption remain common failure modes in cryptographic software
OpenSSL is one of the most widely deployed cryptographic libraries around today, and forms the basis of HTTPS and encrypted communications across the Internet.
Despite decades of review, testing, and community scrutiny, a coordinated January 2026 release addressed twelve previously undisclosed vulnerabilities.
These issues ranged from high and moderate severity flaws to a larger set of lower severity problems involving crashes, memory handling errors, and encryption weaknesses.
Some of these flaws persisted since 1998, which highlights the limits of human review even in heavily scrutinized projects.
AISLE’s AI toolset used context-aware detection to analyze OpenSSL’s code, assigned priority scores to potential threats, and reduced false positives.
The autonomous system identified the twelve known CVEs and also detected six additional issues before public disclosure.
The most serious issue, CVE-2025-15467, involved a stack buffer overflow in CMS AuthEnvelopedData parsing, which under constrained conditions could permit remote code execution.
A related but less severe flaw, CVE-2025-11187, stemmed from missing parameter validation in PKCS#12 handling and created a pathway for stack-based buffer overflow without guaranteed exploitability.
Several vulnerabilities caused denial-of-service conditions through crashes or resource exhaustion rather than direct code execution.
CVE-2025-15468 triggered crashes during QUIC cipher handling, CVE-2025-69420 affected TimeStamp Response verification, and CVE-2025-69421 caused failures during PKCS#12 decryption.
Similar crash behavior appeared in CVE-2026-22795, which tied to PKCS#12 parsing, and CVE-2026-22796, which disrupted PKCS#7 signature verification in legacy code paths.
Memory handling errors formed another cluster of issues.
CVE-2025-66199 enabled memory exhaustion through TLS 1.3 certificate compression, which could degrade system availability.
CVE-2025-68160 exposed memory corruption in line-buffering logic and affected versions dating back to OpenSSL 1.0.2.
A separate flaw, tracked as CVE-2025-69419, involved memory corruption tied to PKCS#12 character encoding, although not all vulnerabilities caused immediate crashes or visible faults.
CVE-2025-15469 introduced silent truncation in post-quantum ML-DSA signature handling, which risked cryptographic correctness without obvious runtime errors.
CVE-2025-69418 affected OCB encryption mode on hardware-accelerated paths and could weaken encryption guarantees under specific configurations.
These discoveries show AI tools can operate continuously, examine all code paths at scale, and avoid limits related to time, attention, or code complexity.
Traditional static analysis tools often miss complex logic errors or timing-dependent vulnerabilities, while autonomous analysis can uncover subtle flaws.
By integrating directly into development workflows, the process resolved these findings before they affected end users and showed a level of coverage and speed far beyond manual review.
In collaboration with OpenSSL maintainers, the AI-assisted process also recommended fixes, and maintainers adopted some directly into OpenSSL’s code.
This shows that AI does not replace human expertise but instead accelerates detection and remediation processes.
Endpoint protection measures and malware removal strategies can benefit from similar AI-driven approaches to identify hidden threats before deployment.
The AISLE findings suggest that AI can shift cybersecurity from reactive patching to proactive protection.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/BUi4eir3JnCCT2MRGt3weS-2560-80.jpg
Source link
