Summary
AISLE says its autonomous analyzer found 20 OpenSSL CVEs across three coordinated releases: three CVEs in September 2025, all 12 CVEs in the January 2026 OpenSSL release, and five of seven CVEs in the April 2026 release.
The January 2026 set included CVE-2025-15467, a high-severity stack buffer overflow in CMS AuthEnvelopedData parsing. AISLE says some of the January bugs dated back to 1998-2000.
Why this is grouped
Listing each low-severity OpenSSL CVE as a separate finding would make the ledger harder to read. The important public signal is the sustained pattern: one AI-assisted research system repeatedly producing accepted reports and, in many cases, fixes for one of the most reviewed cryptographic libraries in the world.
Attribution
OpenSSL’s official vulnerability database credits Aisle Research reporters on the individual CVEs. AISLE’s own write-ups provide the autonomous-AI attribution and describe the analyzer’s role in discovery and patch generation.
That puts this cluster in the direct source-attribution category, with a note that the OpenSSL advisory confirms the researchers and fixes while AISLE confirms the AI system behind the research workflow.
References
- AISLE: 20 OpenSSL zero-days in 6 months
- AISLE: five of seven OpenSSL April 2026 CVEs
- OpenSSL vulnerability database
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.