AI Found Twelve New Vulnerabilities in OpenSSL

Source: Schneier on Security

Overview

In the latest OpenSSL security release on January 27 2026, twelve new zero‑day vulnerabilities were announced. An AI‑driven system discovered all twelve and responsibly disclosed them to the OpenSSL team during the fall and winter of 2025.

• 10 vulnerabilities received CVE‑2025 identifiers.
• 2 vulnerabilities received CVE‑2026 identifiers.

Including the three CVEs previously found in the Fall 2025 release, the AI system (AISLE) is credited with surfacing 13 of the 14 OpenSSL CVEs assigned in 2025, and 15 total across both releases—an unusually high concentration for any single research team.

Notable Vulnerabilities

• CVE‑2025‑15467 – A stack buffer overflow in CMS message parsing that is potentially remotely exploitable without valid key material.
  • Severity: HIGH (NIST CVSS v3 score 9.8/10, classified as CRITICAL).
• Three bugs had been present since 1998‑2000, persisting for over a quarter‑century despite extensive fuzzing and auditing.
• One vulnerability predated OpenSSL itself, originating from Eric Young’s original SSLeay implementation in the 1990s.

Patches and Contributions

In five of the twelve cases, the AI system directly proposed patches that were accepted into the official OpenSSL release.

Impact

AI‑driven vulnerability discovery is accelerating the cybersecurity landscape, offering capabilities that will be leveraged by both offensive and defensive actors.