AI-assisted cybersecurity team discovers 12 OpenSSL vulnerabilities, claims humans are the limiting factor — some vulnerabilities have been around for decades - Tom's Hardware

(Image credit: Getty Images) Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Email Share this article 1 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter OpenSSL is a security standard that protects most of the internet, and cybersecurity researchers have recently discovered vulnerabilities in the standard that have been lying undetected for decades. The Cybersecurity team at Aisle reported in a blog post that it found 12 CVEs in OpenSSL's codebase and has issued fixes for all 12 CVEs. All of these vulnerabilities were only discovered with the help of AI-powered security tools. All 12 CVEs include high, moderate, and low-severity variants. CVE-2025-15467 is a Stack Buffer Overflow vulnerability that can enable attackers to execute remote commands under certain conditions. CVE-2025-11187 is a vulnerability that takes advantage of a missing validation that could trigger a stack-based buffer overflow. The former is considered high severity, while the latter is considered moderate. All high and moderate Severity CVEs: CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow Low Severity CVEs CVE-2025-15468: Crash in QUIC protocol cipher handling CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA) CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2) CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths CVE-2025-69419: Memory corruption in PKCS#12 character encoding CVE-2025-69420: Crash in TimeStamp Response verification CVE-2025-69421: Crash in PKCS#12 decryption CVE-2026-22795: Crash in PKCS#12 parsing CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2) The rest are considered low-severity CVEs and include OpenSSL behaviors, ranging from memory exhaustion, memory corruption, encryption flaws, and straight-up crashes. Aisle reported that at least some of the 12 vulnerabilities can be traced back all the way to 1998. The discovery reveals how problematic manual human vulnerability detection can be. OpenSSL is one of the most popular tools for implementing SSL and TLS protocols for security purposes. If you've ever been to a website with an HTTPS URL, that website is likely encrypted and protected with OpenSSL. The cybersecurity company's AI toolset features context-aware detection that can understand the context of the code it is reviewing. It then goes through a set of steps to identify threats, including giving items a priority score to reduce false positives. AI-assisted security is being adopted rapidly in the security industry to increase the effectiveness of security systems in general, and especially to increase the effectiveness of security systems and companies against the onslaught of AI-assisted criminal attacks now plaguing our world. For example, AI researchers built an AI-powered security system a few years back that was able to predict criminal behavior with an 82.8% accuracy rating. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds. Article continues below See all comments (1) Aaron Klotz Contributing Writer Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards. 1 Comment Comment from the forums Reply View All 1 Comment