OpenSSL has released updates to address multiple vulnerabilities, prominently featuring a critical flaw that could lead to remote code execution. This high-severity issue, identified as CVE-2026-45447, involves a heap user-after-free bug within the PKCS#7 verification function.
Discovery and Technical Details
The critical vulnerability was uncovered by a California-based researcher in collaboration with Claude AI and Anthropic Research. It can be exploited through a specially crafted PKCS#7 or S/MIME signed message during the verification process. OpenSSL developers explained that the issue arises when an empty ASN.1 SET is present in the SignedData digestAlgorithms field, potentially causing OpenSSL to incorrectly free a caller-owned BIO during PKCS7_verify(). This flaw can result in heap corruption, application crashes, and possibly remote code execution.
Impact of the Patched Vulnerabilities
Alongside the high-severity issue, OpenSSL has resolved several moderate-severity vulnerabilities. These flaws could potentially enable attackers to decrypt encrypted communications, forge arbitrary ciphertexts, and launch denial-of-service (DoS) attacks. Furthermore, one particular medium-severity vulnerability might allow an attacker to bypass authentication mechanisms, with a 1-in-256 chance of success, by tricking a system into accepting a fake certificate and private key.
The low-severity vulnerabilities addressed in the update could lead to system crashes, message forgery, and the recovery of private keys, among other issues. These vulnerabilities emphasize the critical need for timely updates and patches in maintaining cybersecurity integrity.
Contribution by AI in Vulnerability Detection
Alex Gaynor from Anthropic has been credited with reporting multiple vulnerabilities included in this batch of patches. This suggests that the AI giant’s Mythos model may have played a role in identifying these security flaws. The involvement of AI in uncovering such vulnerabilities highlights the growing role of artificial intelligence in enhancing cybersecurity measures.
High-severity vulnerabilities in OpenSSL are uncommon, with only a single critical flaw patched last year. CVE-2026-45447 marks the second high-severity issue of this year, underscoring the ongoing challenges in securing open-source software frameworks.
In related news, other platforms like Drupal, Chrome, and Android have also addressed critical vulnerabilities, emphasizing the pervasive nature of cybersecurity threats and the continuous effort required to mitigate such risks.
