OpenSSL Patches High-Severity Vulnerability Found With AI
OpenSSL Patches High-Severity Vulnerability Found With AI
https://www.securityweek.com/openssl-patches-high-severity-vulnerability-found-with-ai/
Publish Date: 2026-06-09 12:47:58
Source Domain: www.securityweek.com
Recent OpenSSL Updates Patch Critical Vulnerabilities
The latest OpenSSL releases have addressed 18 vulnerabilities, including one high-severity issue that could allow remote code execution. The most alarming flaw, identified as CVE-2026-45447, is a heap user-after-free bug found in a PKCS#7 verification function. Discovered through collaborative efforts between a California researcher and AI companies like Anthropic and Google, this vulnerability can be exploited by sending a specially crafted PKCS#7 or S/MIME signed message. The ensuing heap corruption could result in code execution or application crashes. Moderate-severity flaws in the patched list could allow an attacker to decrypt communications, launch DoS attacks, or bypass integrity validation. Medium-severity flaws allow an attacker to trick systems into accepting fake certificate and key pairs, while low-severity vulnerabilities might facilitate crashes, message forgery, and the theft of private keys. With high-severity OpenSSL vulnerabilities rare, CVE-2026-45447 marks the second significant flaw of 2026.
Key Points:
- OpenSSL patched 18 vulnerabilities, including a critical remote code execution flaw (CVE-2026-45447).
- The high-severity vulnerability involves heap user-after-free in PKCS#7 verification, exploitable through crafted messages.
- Moderate flaws could enable encrypted communication decryption, DoS attacks, and arbitrary code execution.
- Medium-severity flaws allow attackers to bypass authentication mechanisms.
- Low-severity vulnerabilities are less critical but can cause crashes, message forgery, and key theft.
