OpenSSL Patches High-Severity Use-After-Free Vulnerability Discovered with AI Assistance
OpenSSL has released critical security updates addressing 18 vulnerabilities, including a high-severity use-after-free flaw potentially found with AI.
OpenSSL, the ubiquitous cryptographic library, has issued urgent security patches for 18 vulnerabilities, with a particular focus on a high-severity flaw that could lead to remote code execution. The update, released on June 9, 2026, addresses a critical bug tracked as CVE-2026-45447, a heap user-after-free vulnerability within a function responsible for PKCS#7 signature verification.
This significant vulnerability can be triggered by a specially crafted PKCS#7 or S/MIME signed message. According to OpenSSL developers, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET during PKCS7_verify(), OpenSSL may incorrectly free a caller-owned BIO. A subsequent use of this BIO by the calling application results in a use-after-free condition, potentially leading to heap corruption, process crashes, and ultimately, remote code execution.
Adding a layer of intrigue to this discovery, the high-severity vulnerability was reportedly found by a researcher in collaboration with Claude AI and Anthropic Research. Alex Gaynor of Anthropic is credited with reporting several of the newly patched vulnerabilities, suggesting that Anthropic's AI models, such as Mythos, may have played a role in identifying these security weaknesses. This highlights a growing trend of AI being leveraged in the discovery of software vulnerabilities.
Beyond the critical CVE-2026-45447, the patches also address numerous moderate-severity flaws. These issues could enable attackers to decrypt encrypted communications, forge arbitrary ciphertexts, launch denial-of-service (DoS) attacks, bypass integrity validation, and execute arbitrary code. One notable moderate flaw could trick a system into accepting a fake, attacker-controlled certificate and private key, potentially allowing an attacker to bypass authentication mechanisms with a low, but non-zero, success rate.
The remaining low-severity vulnerabilities, while less impactful individually, collectively pose a risk. These can lead to application crashes (DoS), message forgery, recovery of private keys, replacement of root Certificate Authority (CA) certificates, and in some cases, could also be chained to achieve arbitrary code execution. The breadth of vulnerabilities patched underscores the importance of timely updates for this foundational cryptographic software.
High-severity vulnerabilities in OpenSSL are relatively rare, making CVE-2026-45447 particularly noteworthy. This marks only the second high-severity flaw patched in OpenSSL in 2026, with the previous one occurring in April and allowing attackers to obtain sensitive data. The library's robust security posture generally means that such critical issues are infrequent, increasing the urgency for users to apply the latest patches.
OpenSSL has released updated versions to address these vulnerabilities. Users are strongly advised to update their OpenSSL installations to the latest patched versions as soon as possible to mitigate the risks associated with these flaws. The ongoing discovery of vulnerabilities, even in mature software like OpenSSL, emphasizes the continuous need for vigilance and proactive security practices in the software development lifecycle.
The involvement of AI in vulnerability discovery, as seen with CVE-2026-45447, signals a new era in cybersecurity. While AI can accelerate the identification of flaws, it also necessitates faster patching cycles and a re-evaluation of security responsibilities within organizations to keep pace with evolving threat landscapes.