AISLE Discovered 12 out of 12 OpenSSL Vulnerabilities

Autonomous zero-day discovery in one of the most scrutinized codebases in the world

AISLE's autonomous analyzer found all 12 CVEs in the January 2026 coordinated release of OpenSSL, the open-source cryptographic library that underpins a substantial proportion of the world’s secure communications. Some of these vulnerabilities had persisted in OpenSSL code for decades, evading the notice of thousands of security researchers.

Finding a genuine security flaw in OpenSSL is extraordinarily difficult. Even a single accepted vulnerability represents a rare achievement. The library's maturity and the community's vigilance make new discoveries exceptionally uncommon. This makes the January 2026 release an important milestone for autonomous security systems. As Tomáš Mráz, CTO of the OpenSSL Foundation, says,

“One of the most important sources of the security of the OpenSSL Library and open source projects overall is independent research. This release is fixing 12 security issues, all disclosed to us by AISLE. We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation.”

In this article, we’ll give an overview of our discoveries and explain why we think this is a watershed moment for AI-powered software security.

The Discoveries

The AISLE Research Team started hunting for OpenSSL vulnerabilities with our autonomous analyzer in August 2025. You can read about the three discoveries we made in Q3 of 2025 here. All of our discoveries were reported through responsible disclosure and resolved through coordinated releases with the OpenSSL project.

High and Moderate Severity CVEs

CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions
CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity CVEs

CVE-2025-15468: Crash in QUIC protocol cipher handling
CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
CVE-2025-69419: Memory corruption in PKCS#12 character encoding
CVE-2025-69420: Crash in TimeStamp Response verification
CVE-2025-69421: Crash in PKCS#12 decryption
CVE-2026-22795: Crash in PKCS#12 parsing
CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

AISLE’s analyzer also recommended fixes which were incorporated directly into OpenSSL for 5 of the 12 CVEs.

Beyond CVEs: Catching Bugs Before They Ship

In addition to the 12 CVEs, 6 findings were never assigned a designation. In each case, AISLE detected the issue, reported it to the maintainers, and the fix was merged before the vulnerable code ever appeared in a release.

By integrating autonomous analysis directly into development workflows, security issues were identified and resolved before they reached users. That is our goal: preventing vulnerabilities, not merely patching them after deployment.

What This Means

OpenSSL represents one of the most deployed, battle-tested, and carefully maintained open-source projects in existence. The fact that 12 previously unknown vulnerabilities could still be found there, including issues dating back to 1998, suggests that manual review faces significant limits, even in mature, heavily audited codebases.

Human reviewers are constrained by time, attention, and the sheer volume of code in modern systems. Traditional static analysis catches certain bug classes but struggles with complex logic errors and timing-dependent issues. By contrast, autonomous AI-driven analysis operates at a different scale. It can examine code paths and edge cases that would take human reviewers months to cover, and it runs continuously rather than periodically.

This doesn't mean that AI can replace human expertise. The OpenSSL maintainers' deep knowledge of the codebase was essential for validating findings and developing robust fixes. But it does change the SLA of security. When autonomous discovery is paired with responsible disclosure, it collapses the time-to-remediation for the entire ecosystem.

The 12 OpenSSL vulnerabilities we identified, spanning 8+ subsystems from CMS to QUIC to post-quantum signatures, represent a milestone in our (admittedly ambitious) mission: moving from reactive patching to securing the software foundation that modern civilization depends on.

Collaboration with OpenSSL

From the moment our system flagged these anomalies, we approached this as a partnership with the OpenSSL community. We submitted detailed technical reports through their coordinated security reporting process, including complete reproduction steps, root cause analysis, and concrete patch proposals. In each case, our proposed fixes either informed or were directly adopted by the OpenSSL team.

As Matt Caswell, Executive Director of the OpenSSL Foundation, said, “Keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers. We appreciate AISLE's responsible disclosures and the quality of their engagement across these issues."

The OpenSSL team's responsiveness was exceptional. Under the leadership of Tomáš Mráz, the Chief Technical Officer (CTO) at the OpenSSL Foundation, the maintainers engaged technically at every stage: validating findings, refining patches, coordinating releases across multiple branches, and synchronizing with downstream distributions.