Tech News
← Back to articles

AI-assisted cybersecurity team discovers 12 OpenSSL vulnerabilities, claims humans are the limiting factor — some vulnerabilities have been around for decades

2026-01-29 | original
read original related products more articles

OpenSSL is a security standard that protects most of the internet, and cybersecurity researchers have recently discovered vulnerabilities in the standard that have been lying undetected for decades. The Cybersecurity team at Aisle reported in a blog post that it found 12 CVEs in OpenSSL's codebase and has issued fixes for all 12 CVEs. All of these vulnerabilities were only discovered with the help of AI-powered security tools.

All 12 CVEs include high, moderate, and low-severity variants. CVE-2025-15467 is a Stack Buffer Overflow vulnerability that can enable attackers to execute remote commands under certain conditions. CVE-2025-11187 is a vulnerability that takes advantage of a missing validation that could trigger a stack-based buffer overflow. The former is considered high severity, while the latter is considered moderate.

All high and moderate Severity CVEs: CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity CVEs CVE-2025-15468: Crash in QUIC protocol cipher handling CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA) CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2) CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths CVE-2025-69419: Memory corruption in PKCS#12 character encoding CVE-2025-69420: Crash in TimeStamp Response verification CVE-2025-69421: Crash in PKCS#12 decryption CVE-2026-22795: Crash in PKCS#12 parsing CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

The rest are considered low-severity CVEs and include OpenSSL behaviors, ranging from memory exhaustion, memory corruption, encryption flaws, and straight-up crashes.

Aisle reported that at least some of the 12 vulnerabilities can be traced back all the way to 1998. The discovery reveals how problematic manual human vulnerability detection can be. OpenSSL is one of the most popular tools for implementing SSL and TLS protocols for security purposes. If you've ever been to a website with an HTTPS URL, that website is likely encrypted and protected with OpenSSL.

... continue reading

Related:
AMD CES 2026 gaming trends press Q&A roundtable transcript — 'we see a little bit of an uptick in the percentage of AM4 versus AM5 platforms'
Apple set to report earnings: iPhone growth, AI, memory costs will be in focus in first quarter
An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account
Upwind raises $250M at $1.5B valuation to continue building ‘runtime’ cloud security
SK Hynix overtakes Samsung in annual profit for the first time as AI reshapes rivalry

© 2026 GoKawiil