AISLE Uncovered 5 of 7 OpenSSL Vulnerabilities in the April 2026 Release

Author

Stanislav Fort

Date Published

OpenSSL

As AI-powered vulnerability detection commands attention in newsrooms and boardrooms alike, AISLE’s autonomous system has discovered five of the seven security issues patched in the April release of OpenSSL 3.5.6. Since AI champions like Tencent and Anthropic also reported a few vulnerabilities, these findings serve to shed light on a critical question: do high-powered models find more security vulnerabilities than multi-model systems?

OpenSSL is an ideal testing ground for emerging approaches to autonomous cybersecurity. As one of the world’s most widely adopted cryptographic libraries, it is widely recognized as a mature, highly secure codebase. Yet in the six months since October 2025, AISLE found 20 security vulnerabilities significant enough to warrant CVE designation, including the first high severity issue discovered since 2022.

These findings indicate that multi-model systems can detect more vulnerabilities than even the most highly powered models, and at a fraction of the cost.

The Discoveries

All of the following were responsibly disclosed by researchers from AISLE. Two were also fixed using patches generated by AISLE’s autonomous vulnerability management platform:

  • CVE-2026-28386 (9.1 CVSS Score) — Out-of-bounds read (up to 15 bytes) in the AES-CFB-128 assembly path on x86-64 CPUs with AVX-512/VAES when processing partial blocks at a page boundary; can crash the process (DoS). (Simultaneously reported and fixed by Alex Gaynor of Anthropic)
  • CVE-2026-28390 (7.5 CVSS Score) — NULL pointer dereference in CMS EnvelopedData handling when KeyTransportRecipientInfo uses RSA-OAEP and the SourceFunc parameters field is absent; same CMS_decrypt() DoS exposure on untrusted input. (Simultaneously reported by researchers from Tencent)
  • CVE-2026-28388 (5.9 CVSS Score) — NULL pointer dereference while processing a delta CRL that carries a Delta CRL Indicator but omits the required CRL Number extension; causes a crash (DoS) during X.509 verification with X509_V_FLAG_USE_DELTAS.
  • CVE-2026-28389 (5.9 CVSS Score) — NULL pointer dereference in CMS EnvelopedData handling when KeyAgreeRecipientInfo omits the optional algorithm parameters field; CMS_decrypt() on attacker-controlled input crashes before any crypto runs (DoS). (Simultaneously reported by researchers at Praetorian, Seoul National University, and Tencent)
  • CVE-2026-28387 (3.7 CVSS Score) — Use-after-free / double-free in the DANE client when a server publishes TLSA records mixing PKIX-TA(0)/PKIX-EE(1) with DANE-TA(2); can corrupt memory or enable code execution on affected clients.

Implications for AI-Powered Vulnerability Detection

AISLE’s latest OpenSSL discoveries shed light on a high-stakes debate over the right path forward for AI-powered cybersecurity. In April of 2026, Anthropic’s Mythos announcement launched AI-powered vulnerability detection into public awareness. To some, it seemed that expensive, high-powered frontier models would massively outperform more affordable security analyzers.

Yet as decision makers worried about securing their code bases against an AI so powerful that only a handful of enterprises can be entrusted with it, researchers found that open source models could produce the same results, for up to 600x less compute cost.

In fact, AISLE’s co-founder Stanislav Fort rapidly built a system that surfaced real vulnerabilities in FreeBSD and OpenBSD, even after they were scanned by Mythos. It’s available as free open-source software.

So when AISLE’s autonomous system discovered five OpenSSL vulnerabilities while Anthropic only reported one, it validated the premise underlying Fort’s research. AISLE’s autonomous system makes use of multiple models to build an understanding of each codebase it analyzes. Rather than treating vulnerability detection as a problem to be solved by brute power, it matches the capabilities of each model with the discrete problem they solve, whether that be broad-spectrum scanning, vulnerability analysis, or triage.

These real-world results indicate that when it comes to finding security issues in mature, robust codebases, thoughtfully designed security systems outperform high-powered models. That they do so at a fraction of the cost is of secondary importance to the fundamental mission of securing code.

AISLE’s Multi-Model Platform is Available Now

The AISLE system has discovered 20 OpenSSL vulnerabilities in the last six months, which is why we believe in making it available to defenders. If you’d like to see what our autonomous vulnerability management platform will find in your codebase, request a demo.

AISLE researchers contributing to these discoveries include Stanislav Fort, Pavel Kohout, Igor Morgenstern, and Joshua Rogers. Our appreciation goes to the OpenSSL team for their continued collaboration and professionalism.