AI Discovers 12 OpenSSL Zero-Day Vulnerabilities | Cybersecurity 2026

AI System Uncovers Dozens of Previously Unknown Vulnerabilities in OpenSSL

An artificial intelligence system, developed by Aisle Research, has identified twelve new zero-day vulnerabilities in OpenSSL, a widely used cryptography library. The discoveries, made during the fall and winter of 2025, were responsibly disclosed to the OpenSSL team and included in the January 27, 2026 security release. This brings the total number of Common Vulnerabilities and Exposures (CVEs) surfaced by the AI to 15 across recent OpenSSL releases, a historically high concentration for a single research entity.

The AI’s success highlights a potential turning point in cybersecurity, where automated systems are capable of identifying security flaws that have eluded both human and machine-based efforts for decades. The vulnerabilities weren’t minor; one, CVE-2025-15467, is a stack buffer overflow in CMS message parsing, rated HIGH severity by OpenSSL and given a Critical score of 9.8 out of 10 by NIST’s Common Vulnerability Scoring System (CVSS v3). Exploits for this vulnerability were reportedly developed online shortly after disclosure, underscoring the urgency of patching.

Remarkably, three of the identified bugs had persisted in the codebase since between 1998 and 2000, and one even predates OpenSSL itself, originating in Eric Young’s original SSLeay implementation from the 1990s. This demonstrates the ability of AI to uncover deeply embedded, long-standing issues that have bypassed traditional security measures, including extensive fuzzing and audits conducted by teams like Google’s.

A New Era of Vulnerability Discovery

The implications of this discovery extend beyond simply patching these specific vulnerabilities. The fact that an AI system could identify so many previously unknown flaws in a codebase that has been subjected to intense scrutiny suggests a fundamental shift in how security research is conducted. OpenSSL is a foundational component of internet security, used to encrypt communications and protect data in transit. Its widespread adoption makes it a prime target for attackers, and any vulnerabilities can have far-reaching consequences.

The Aisle Research AI didn’t just find the vulnerabilities; in five of the twelve cases, it also proposed the patches that were ultimately accepted into the official OpenSSL release. This level of automation in the remediation process is particularly noteworthy, potentially accelerating the time it takes to address security flaws and reducing the window of opportunity for attackers.

Technical Details and Impact

The vulnerabilities identified span a range of severity, and exploitability. CVE-2025-15467, the stack buffer overflow, is particularly concerning due to its potential for remote exploitation without requiring valid key material. This means an attacker could potentially compromise a system simply by sending a crafted message, without needing to authenticate or possess legitimate credentials.

Another vulnerability, CVE-2025-11187, involves improper validation of PBMAC1 parameters in PKCS#12 MAC verification. This can lead to a stack-based buffer overflow, invalid pointer, or NULL pointer dereference during the verification process. The impact of this vulnerability is a potential denial of service, or, in some cases, potentially code execution depending on platform mitigations.

The fact that these vulnerabilities remained undetected for so long underscores the limitations of traditional security approaches. Fuzzing, a technique that involves feeding a program with random data to identify crashes and errors, has been used extensively on OpenSSL. Similarly, numerous code audits have been conducted over the years. The AI’s success suggests that it is able to identify patterns and anomalies that are difficult for humans or traditional automated tools to detect.

Looking Ahead

The development of AI-powered vulnerability discovery tools is still in its early stages, but the results achieved by Aisle Research demonstrate its potential. This capability will undoubtedly be adopted by both offensive and defensive security teams. Attackers could use AI to identify vulnerabilities in target systems, while defenders could use it to proactively identify and patch flaws in their own software.

The reliance on AI in cybersecurity also raises new questions about the future of the field. Will AI eventually replace human security researchers? How can we ensure that AI systems are not themselves vulnerable to attack? These are questions that the security community will need to address as AI continues to evolve.

The OpenSSL security release on January 27, 2026, represents a significant step forward in securing the internet. The collaboration between Aisle Research’s AI system and the OpenSSL team demonstrates the power of combining human expertise with artificial intelligence to address the ever-evolving challenges of cybersecurity.