AI发现OpenSSL存在12个漏洞

AI发现OpenSSL存在12个漏洞
AISLE’s autonomous analyzer found all CVEs in the January OpenSSL release

原始链接: https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities

## AISLE 的人工智能发现 OpenSSL 中 12 个零日漏洞 AISLE 的自主人工智能分析器成功识别出广泛使用的开源加密库 OpenSSL 中 12 个此前未知的漏洞（CVE）。值得注意的是，其中一些缺陷已经存在了几十年，逃避了众多安全研究人员的检测。这些漏洞的严重程度从高到低不等（包括缓冲区溢出和崩溃），发现时间在 2025 年 8 月至 2026 年 1 月之间，并已与 OpenSSL 基金会协调修复。值得一提的是，AISLE 的分析还主动识别并帮助修复了 6 个在任何 OpenSSL 版本发布*之前*的错误，这表明安全策略正在转向预防性安全。 OpenSSL 基金会赞扬了 AISLE 报告的质量和协作方式。这一里程碑凸显了传统的手动代码审查的局限性，即使是在像 OpenSSL 这样经过高度审查的项目中。 AISLE 的人工智能可以以人类无法比拟的速度和规模分析代码，从而发现否则会一直隐藏的复杂问题。虽然它不能取代人类专业知识——OpenSSL 团队验证并完善了修复方案——但它大大缩短了修复时间，并使行业更接近于主动软件安全。

## AI驱动的安全分析发现OpenSSL漏洞 AISLE，一个自主分析器，发现了最近OpenSSL版本中的所有12个CVE漏洞，凸显了安全漏洞检测的潜在转变。虽然人工专业知识对于验证和修复仍然至关重要，但该工具显著缩短了修复时间。讨论的中心是OpenSSL代码库的复杂性——通常被描述为“糟糕”且难以维护——以及日益普及的AI工具对发现*和*利用漏洞的影响。人们对行业快速修复广泛使用的软件的能力，特别是废弃软件，以及漏洞开发者和开源维护者之间的资源差距表示担忧。一些评论员建议转向更现代、更易于维护的密码学库，如BoringSSL或使用形式化验证的库。另一些人指出AI既可能加剧也可能改善软件安全，以及负责任的披露实践的必要性。这些发现也引发了关于在AI生成报告时代漏洞赏金计划有效性的争论。

原文

Autonomous zero-day discovery in one of the most scrutinized codebases in the world

AISLE's autonomous analyzer found all 12 CVEs in the January 2026 coordinated release of OpenSSL, the open-source cryptographic library that underpins a substantial proportion of the world’s secure communications. Some of these vulnerabilities had persisted in OpenSSL code for decades, evading the notice of thousands of security researchers.

Finding a genuine security flaw in OpenSSL is extraordinarily difficult. Even a single accepted vulnerability represents a rare achievement. The library's maturity and the community's vigilance make new discoveries exceptionally uncommon. This makes the January 2026 release an important milestone for autonomous security systems. As Tomáš Mráz, CTO of the OpenSSL Foundation, says,

“One of the most important sources of the security of the OpenSSL Library and open source projects overall is independent research. This release is fixing 12 security issues, all disclosed to us by AISLE. We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation.”

In this article, we’ll give an overview of our discoveries and explain why we think this is a watershed moment for AI-powered software security.

The Discoveries

The AISLE Research Team started hunting for OpenSSL vulnerabilities with our autonomous analyzer in August 2025. You can read about the three discoveries we made in Q3 of 2025 here. All of our discoveries were reported through responsible disclosure and resolved through coordinated releases with the OpenSSL project.

High and Moderate Severity CVEs

CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions
CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow

Low Severity CVEs

CVE-2025-15468: Crash in QUIC protocol cipher handling
CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
CVE-2025-69419: Memory corruption in PKCS#12 character encoding
CVE-2025-69420: Crash in TimeStamp Response verification
CVE-2025-69421: Crash in PKCS#12 decryption
CVE-2026-22795: Crash in PKCS#12 parsing
CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)

AISLE’s analyzer also recommended fixes which were incorporated directly into OpenSSL for 5 of the 12 CVEs.

Beyond CVEs: Catching Bugs Before They Ship

In addition to the 12 CVEs, 6 findings were never assigned a designation. In each case, AISLE detected the issue, reported it to the maintainers, and the fix was merged before the vulnerable code ever appeared in a release.

By integrating autonomous analysis directly into development workflows, security issues were identified and resolved before they reached users. That is our goal: preventing vulnerabilities, not merely patching them after deployment.

What This Means

OpenSSL represents one of the most deployed, battle-tested, and carefully maintained open-source projects in existence. The fact that 12 previously unknown vulnerabilities could still be found there, including issues dating back to 1998, suggests that manual review faces significant limits, even in mature, heavily audited codebases.

Human reviewers are constrained by time, attention, and the sheer volume of code in modern systems. Traditional static analysis catches certain bug classes but struggles with complex logic errors and timing-dependent issues. By contrast, autonomous AI-driven analysis operates at a different scale. It can examine code paths and edge cases that would take human reviewers months to cover, and it runs continuously rather than periodically.

This doesn't mean that AI can replace human expertise. The OpenSSL maintainers' deep knowledge of the codebase was essential for validating findings and developing robust fixes. But it does change the SLA of security. When autonomous discovery is paired with responsible disclosure, it collapses the time-to-remediation for the entire ecosystem.

The 12 OpenSSL vulnerabilities we identified, spanning 8+ subsystems from CMS to QUIC to post-quantum signatures, represent a milestone in our (admittedly ambitious) mission: moving from reactive patching to securing the software foundation that modern civilization depends on.

Collaboration with OpenSSL

From the moment our system flagged these anomalies, we approached this as a partnership with the OpenSSL community. We submitted detailed technical reports through their coordinated security reporting process, including complete reproduction steps, root cause analysis, and concrete patch proposals. In each case, our proposed fixes either informed or were directly adopted by the OpenSSL team.

As Matt Caswell, Executive Director of the OpenSSL Foundation, said, “Keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers. We appreciate AISLE's responsible disclosures and the quality of their engagement across these issues."

The OpenSSL team's responsiveness was exceptional. Under the leadership of Tomáš Mráz, the Chief Technical Officer (CTO) at the OpenSSL Foundation, the maintainers engaged technically at every stage: validating findings, refining patches, coordinating releases across multiple branches, and synchronizing with downstream distributions.