OpenSSL Fixes 18 Vulnerabilities, Including High-Severity AI-Assisted Discovery

The latest OpenSSL releases address a total of 18 security vulnerabilities, including a high-severity flaw that could potentially allow remote code execution. Some of the issues are reported to have been discovered with the assistance of AI tools.

High-Severity Flaw: CVE-2026-45447

The most critical issue, tracked as CVE-2026-45447, is a heap-based use-after-free vulnerability found in a function involved in PKCS#7 (Public-Key Cryptography Standard #7) signature verification.

The bug can be triggered when processing a PKCS#7 or S/MIME signed message, specifically when the SignedData structure contains an empty ASN.1 SET in the digestAlgorithms field. In such cases, OpenSSL may incorrectly free a caller-owned BIO object during PKCS7_verify(). If the application later attempts to use the freed BIO, a use-after-free condition occurs.

This flaw can lead to heap corruption, application crashes, and potentially remote code execution, depending on how the affected software is implemented.

The vulnerability was discovered by a researcher from California working in collaboration with Claude AI and Anthropic Research.

Other Security Issues Patched

Alongside the high-severity bug, OpenSSL also fixed multiple moderate and low-severity vulnerabilities affecting cryptographic operations and certificate handling.

Moderate-Severity Issues

These flaws may allow attackers to:

• Decrypt encrypted communications
• Forge arbitrary ciphertexts
• Launch denial-of-service (DoS) attacks
• Bypass integrity validation checks
• Execute arbitrary code in certain scenarios

One notable medium-severity vulnerability could allow an attacker to trick a system into accepting a fake certificate and private key. This could enable authentication bypass with a probability of success estimated at 1-in-256.

Low-Severity Issues

The lower-impact vulnerabilities may still result in:

• Application crashes (DoS conditions)
• Message forgery
• Partial recovery of private keys
• Replacement of root CA certificates
• Potential arbitrary code execution in limited cases

AI Assistance in Vulnerability Discovery

Several of the patched issues were reportedly identified with assistance from AI systems. Alex Gaynor of Anthropic was credited with reporting around half a dozen vulnerabilities, suggesting that the company’s Mythos model may have contributed to uncovering these flaws.

Rarity of High-Severity Issues

High-severity vulnerabilities in OpenSSL remain relatively rare. Only one such issue was patched in the previous year, making CVE-2026-45447 the second high-severity vulnerability addressed in 2026 so far.

Earlier in April, OpenSSL developers also fixed a separate flaw that could allow attackers to access sensitive information.

Overall, the update highlights both the ongoing security risks in widely used cryptographic libraries and the growing role of AI-assisted research in vulnerability discovery.