OpenSSL Patches High-Severity Vulnerability Found With AI

https://www.securityweek.com/openssl-patches-high-severity-vulnerability-found-with-ai/

Publish Date: 2026-06-09 12:47:58

Recent OpenSSL Updates Patch Critical Vulnerabilities

The latest OpenSSL releases have addressed 18 vulnerabilities, including one high-severity issue that could allow remote code execution. The most alarming flaw, identified as CVE-2026-45447, is a heap user-after-free bug found in a PKCS#7 verification function. Discovered through collaborative efforts between a California researcher and AI companies like Anthropic and Google, this vulnerability can be exploited by sending a specially crafted PKCS#7 or S/MIME signed message. The ensuing heap corruption could result in code execution or application crashes. Moderate-severity flaws in the patched list could allow an attacker to decrypt communications, launch DoS attacks, or bypass integrity validation. Medium-severity flaws allow an attacker to trick systems into accepting fake certificate and key pairs, while low-severity vulnerabilities might facilitate crashes, message forgery, and the theft of private keys. With high-severity OpenSSL vulnerabilities rare, CVE-2026-45447 marks the second significant flaw of 2026.

Key Points:

OpenSSL patched 18 vulnerabilities, including a critical remote code execution flaw (CVE-2026-45447).
The high-severity vulnerability involves heap user-after-free in PKCS#7 verification, exploitable through crafted messages.
Moderate flaws could enable encrypted communication decryption, DoS attacks, and arbitrary code execution.
Medium-severity flaws allow attackers to bypass authentication mechanisms.
Low-severity vulnerabilities are less critical but can cause crashes, message forgery, and key theft.