OpenSSL: OpenSSL Patches High-Severity Vulnerability Found With AI

OpenSSL Patches 18 Vulnerabilities, Including High-Severity Remote Code Execution Flaw

OpenSSL has released updates addressing 18 vulnerabilities, among them a high-severity heap use-after-free bug (CVE-2026-45447) that could enable remote code execution. The flaw, discovered by a California-based researcher in collaboration with Claude AI and Anthropic Research, affects PKCS#7 signature verification when processing maliciously crafted PKCS#7 or S/MIME signed messages.

The vulnerability occurs if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, causing OpenSSL to incorrectly free a caller-owned BIO during PKCS7_verify(). Exploitation could lead to heap corruption, process crashes, or remote code execution.

In addition to the high-severity issue, the patches fix moderate- and low-severity flaws that could allow decryption of encrypted communications, DoS attacks, certificate forgery, private key recovery, and arbitrary code execution. One medium-severity weakness enables attackers to bypass authentication by tricking systems into accepting fake certificates with a 1-in-256 success rate.

Anthropic researcher Alex Gaynor reported six of the patched vulnerabilities, suggesting potential involvement of the company’s Mythos AI model in identifying the flaws. High-severity OpenSSL vulnerabilities remain rare this is only the second such flaw patched in 2026, following a sensitive data exposure issue resolved in April.

The updates underscore the ongoing risks in widely used cryptographic libraries, particularly for systems relying on PKCS#7 and S/MIME verification. Organizations using OpenSSL are advised to apply the patches promptly.

Source: https://www.securityweek.com/openssl-patches-high-severity-vulnerability-found-with-ai/

OpenSSL TPRM report: https://www.rankiteo.com/company/openssl-corporation

"id": "ope1781094346",
"linkid": "openssl-corporation",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Organizations using OpenSSL for '
                                              'PKCS#7 and S/MIME verification',
                        'industry': 'Software/Security',
                        'name': 'OpenSSL',
                        'type': 'Cryptographic Library'}],
 'attack_vector': 'Maliciously crafted PKCS#7 or S/MIME signed messages',
 'description': 'OpenSSL has released updates addressing 18 vulnerabilities, '
                'including a high-severity heap use-after-free bug '
                '(CVE-2026-45447) that could enable remote code execution. The '
                'flaw affects PKCS#7 signature verification when processing '
                'maliciously crafted PKCS#7 or S/MIME signed messages. The '
                'vulnerability occurs if the SignedData digestAlgorithms field '
                'is present as an empty ASN.1 SET, causing OpenSSL to '
                'incorrectly free a caller-owned BIO during PKCS7_verify(). '
                'Exploitation could lead to heap corruption, process crashes, '
                'or remote code execution. Additionally, the patches fix '
                'moderate- and low-severity flaws that could allow decryption '
                'of encrypted communications, DoS attacks, certificate '
                'forgery, private key recovery, and arbitrary code execution.',
 'impact': {'operational_impact': 'Process crashes, remote code execution, '
                                  'heap corruption',
            'systems_affected': 'Systems relying on OpenSSL for PKCS#7 and '
                                'S/MIME verification'},
 'investigation_status': 'Completed (patches released)',
 'lessons_learned': 'Ongoing risks in widely used cryptographic libraries '
                    'underscore the need for prompt patching and vigilance in '
                    'security practices.',
 'post_incident_analysis': {'corrective_actions': 'Patches released to fix 18 '
                                                  'vulnerabilities, including '
                                                  'the high-severity RCE flaw',
                            'root_causes': 'Heap use-after-free vulnerability '
                                           'in PKCS#7 signature verification '
                                           'due to improper handling of empty '
                                           'ASN.1 SET in SignedData '
                                           'digestAlgorithms field'},
 'recommendations': 'Organizations using OpenSSL are advised to apply the '
                    'patches promptly to mitigate risks of remote code '
                    'execution, DoS attacks, and other exploits.',
 'references': [{'source': 'Anthropic Research'}],
 'response': {'communication_strategy': 'Public disclosure of vulnerabilities '
                                        'and patches',
              'containment_measures': 'Patches released for 18 vulnerabilities',
              'remediation_measures': 'Apply OpenSSL updates promptly'},
 'stakeholder_advisories': 'Organizations relying on OpenSSL for PKCS#7 and '
                           'S/MIME verification should apply updates '
                           'immediately.',
 'title': 'OpenSSL Patches 18 Vulnerabilities, Including High-Severity Remote '
          'Code Execution Flaw',
 'type': 'Vulnerability Disclosure',
 'vulnerability_exploited': 'CVE-2026-45447 (heap use-after-free in PKCS#7 '
                            'signature verification)'}