OpenSSL Patches 18 Vulnerabilities, Including High-Severity Remote Code Execution Flaw OpenSSL has released updates addressing 18 vulnerabilities, among them a high-severity heap use-after-free bug (CVE-2026-45447) that could enable remote code execution. The flaw, discovered by a California-based researcher in collaboration with Claude AI and Anthropic Research, affects PKCS#7 signature verification when processing maliciously crafted PKCS#7 or S/MIME signed messages. The vulnerability occurs if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, causing OpenSSL to incorrectly free a caller-owned BIO during PKCS7_verify(). Exploitation could lead to heap corruption, process crashes, or remote code execution. In addition to the high-severity issue, the patches fix moderate- and low-severity flaws that could allow decryption of encrypted communications, DoS attacks, certificate forgery, private key recovery, and arbitrary code execution. One medium-severity weakness enables attackers to bypass authentication by tricking systems into accepting fake certificates with a 1-in-256 success rate. Anthropic researcher Alex Gaynor reported six of the patched vulnerabilities, suggesting potential involvement of the company’s Mythos AI model in identifying the flaws. High-severity OpenSSL vulnerabilities remain rare this is only the second such flaw patched in 2026, following a sensitive data exposure issue resolved in April. The updates underscore the ongoing risks in widely used cryptographic libraries, particularly for systems relying on PKCS#7 and S/MIME verification. Organizations using OpenSSL are advised to apply the patches promptly.

OpenSSL Patches Seven Vulnerabilities, Including Moderate-Severity Data Leak Flaw OpenSSL has released updates addressing seven vulnerabilities, one of which CVE-2026-31790 could allow attackers to access sensitive data. Classified as moderate severity, the flaw affects applications using RSASVE key encapsulation by failing to verify encryption success, potentially exposing uninitialized memory buffers containing residual sensitive data from prior processes. The vulnerability impacts OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0, while 1.0.2 and 1.1.1 remain unaffected. The remaining six flaws are rated low severity, with most enabling denial-of-service (DoS) attacks via application crashes. Two could theoretically permit arbitrary code execution, though one requires an uncommon OpenSSL configuration, and the other involves a 1GB X.509 certificate making exploitation impractical in most cases. This follows a January update that fixed 12 vulnerabilities, including a high-severity remote code execution (RCE) flaw. Notably, high-severity OpenSSL vulnerabilities have become rare, with only one reported in 2025. The latest patches reinforce OpenSSL’s ongoing efforts to mitigate risks in widely used cryptographic libraries.