OpenSSL CVE-2026-45447: High-Severity PKCS#7 RCE Discovered With AI
18 Vulnerabilities, One High-Severity: And AI Found Some
OpenSSL released patches for 18 vulnerabilities in June 2026. That alone would be significant. But one detail stands out: several were discovered with AI assistance, including the highest-severity flaw.
CVE-2026-45447 is a heap user-after-free bug in PKCS#7 signature verification that can lead to remote code execution. It was discovered by a California researcher collaborating with Claude AI and Anthropic Research. This marks a shift in how vulnerability research happens—and what it means for patching urgency.
High-severity OpenSSL flaws are rare these days. Last year, only one high-severity issue was patched. CVE-2026-45447 is the second of 2026. For systems that depend on OpenSSL for cryptographic operations, this is patch-now territory, not wait-and-see.
CVE-2026-45447: The Vulnerability
Severity: High (CVSS TBD)
Impact: Remote Code Execution, heap corruption, process crashes
Affected: PKCS#7 and S/MIME signature verification
Attack Vector: Specially crafted PKCS#7 or S/MIME signed message
How It Works
When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL incorrectly frees a caller-owned BIO (Basic I/O abstraction) during PKCS7_verify().
A subsequent use of that BIO by the calling application results in a use-after-free condition. The freed memory can be reallocated for other purposes. The application continues using the original pointer, expecting valid memory. The result: heap corruption.
Attack scenario:
- Attacker crafts a PKCS#7 or S/MIME message with an empty
digestAlgorithmsfield - Victim application verifies the message using
PKCS7_verify() - OpenSSL frees memory it shouldn't
- Application accesses the freed memory
- Heap corruption occurs → potential RCE
This is not a denial-of-service flaw. This is code execution.
Who's Affected?
Any application that:
- Verifies PKCS#7 signatures
- Processes S/MIME signed email messages
- Uses OpenSSL for cryptographic verification
- Exposes the verification process to untrusted input (external messages, email, API calls)
This includes:
- Email clients and servers
- Certificate authorities and validation services
- API gateways that verify signed requests
- Messaging applications
- Cryptographic libraries built on top of OpenSSL
The Other 17 Vulnerabilities
The remaining 17 flaws range from moderate to low severity, but they're far from harmless:
Moderate-severity flaws can be exploited to:
- Decrypt encrypted communications
- Forge arbitrary ciphertexts
- Launch denial-of-service attacks
- Bypass integrity validation
- Execute arbitrary code
One medium-severity weakness (CVE-2026-XXXXX, details TBD) can trick systems into accepting fake, attacker-controlled certificates and private keys. Success rate: 1-in-256. That's not a guarantee, but for attackers running at scale, 1-in-256 is exploitable.
Low-severity vulnerabilities can lead to:
- Denial-of-service crashes
- Message forgery
- Private key recovery
- Root CA certificate replacement
- Possibly arbitrary code execution
Even "low-severity" is relative. Recovery of private keys is catastrophic. Replacement of root CA certificates compromises trust at scale.
AI-Assisted Vulnerability Discovery
Alex Gaynor of Anthropic has been credited with reporting half a dozen of the newly patched vulnerabilities. Gaynor is a security researcher at Anthropic's research team. The fact that multiple researchers at Anthropic contributed findings suggests their AI vulnerability discovery tools (Mythos model, according to reporting) identified real flaws.
This is significant because:
For vulnerability research: AI-assisted scanning can identify use-after-free conditions, integer overflows, and other memory safety bugs faster than manual code review. OpenSSL is a massive codebase (roughly 600K lines of code). Finding bugs at scale requires scale.
For patch urgency: If AI tools can find these flaws, so can attackers. The gap between discovery and weaponization narrows. Patching speed matters more.
For future releases: Expect more vulnerabilities discovered via AI. This is not a one-time finding. It's a new category of research method.
Patching CVE-2026-45447
Identify Affected Versions
OpenSSL 3.0.0 through 3.2.2 (and related 3.x versions) are affected. OpenSSL 1.1.1 and earlier versions are NOT affected.
Check your version:
openssl version
# Output: OpenSSL 3.1.5 21 Sep 2024
Apply Patches Immediately
Red Hat / CentOS / Fedora:
dnf update openssl openssl-libs openssl-devel
Debian / Ubuntu:
apt update && apt upgrade openssl libssl-dev
Alpine:
apk update && apk upgrade openssl
macOS (Homebrew):
brew update && brew upgrade openssl
From source:
# Download OpenSSL 3.2.3 or later
wget https://github.com/openssl/openssl/releases/download/openssl-3.2.3/openssl-3.2.3.tar.gz
tar xzf openssl-3.2.3.tar.gz
cd openssl-3.2.3
./Configure
make && make test
sudo make install
⚠️ Applications using OpenSSL may need restart. Restart any services that link against OpenSSL after patching:
# nginx
sudo systemctl restart nginx
# Apache
sudo systemctl restart apache2
# applications that use OpenSSL libraries
sudo systemctl restart <service>
Impact on Systems Using PKCS#7
If your system processes PKCS#7 or S/MIME messages, assume you're vulnerable until patched:
Email servers: S/MIME signed email verification
Certificate authorities: PKCS#7 chain validation
Digital signature services: Any service verifying signed documents
API gateways: If they validate signed requests
Cryptographic libraries: Any wrapper around OpenSSL
For each system, ask:
- Does it run OpenSSL 3.0.0 through 3.2.2?
- Does it verify PKCS#7 signatures or S/MIME messages?
- Does it expose this verification to untrusted input?
If all three are yes: patch immediately.
The Bigger Picture: AI in Vulnerability Discovery
This release marks a turning point. Anthropic's research team used AI tools to find real, patched vulnerabilities in a widely-used cryptographic library. The implications:
Defenders: AI-assisted fuzzing and static analysis can find bugs before they're exploited. Security teams should invest in these tools.
Attackers: The same AI tools are available. Advanced threat actors will use them. Vulnerability discovery speed accelerates.
Vendors: Projects like OpenSSL will face more frequent, AI-discovered reports. Patching cycles may need to accelerate.
Timeline compression: The gap between vulnerability discovery and exploitation shrinks. Patching delays become more dangerous.
For OpenSSL specifically, this is validation that continued security work matters. The project has been under intense scrutiny for decades. Finding new high-severity flaws this year shows that code review, fuzzing, and now AI-assisted analysis still uncover issues.
Detection and Monitoring
Until systems are patched:
Monitor for exploitation attempts:
- Unusual process crashes involving OpenSSL or applications that use it
- Heap corruption warnings in logs
- Unexpected process termination
- Failed PKCS#7 or S/MIME verification attempts followed by crashes
Check logs for suspicious PKCS#7 processing:
# Look for PKCS#7 or S/MIME processing errors
grep -i "pkcs7\|s/mime\|signature" /var/log/syslog
grep -i "use-after-free\|heap" /var/log/syslog
Network indicators:
- Unusual PKCS#7 or S/MIME messages from unexpected sources
- Specially crafted signatures designed to trigger parsing bugs
Timeline
- June 2026: OpenSSL releases patches for CVE-2026-45447 and 17 other vulnerabilities
- Patching deadline: Treat as critical; patch within days, not weeks
- Future implications: Expect more AI-discovered vulnerabilities in subsequent OpenSSL releases
Patching Checklist
- [ ] Identify all systems running OpenSSL 3.0.0 through 3.2.2
- [ ] Identify systems that verify PKCS#7 or S/MIME signatures
- [ ] Test patches in a staging environment first
- [ ] Plan restart windows for production systems
- [ ] Patch and restart services
- [ ] Verify OpenSSL version after patching
- [ ] Monitor for exploitation attempts during the patching window
- [ ] Update patch management records
