Overview
- The January 2026 release addresses 12 previously unknown vulnerabilities that AISLE’s autonomous analyzer uncovered and reported through coordinated disclosure.
- The update includes a high‑severity stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467) with potential for remote code execution and a moderate PKCS#12 validation flaw (CVE-2025-11187).
- Issues span more than eight subsystems, including CMS, QUIC, PKCS#12, and post‑quantum signature handling, with several bugs persisting for years, some traceable to 1998 and code paths back to OpenSSL 1.0.2.
- AISLE supplied remediation guidance, five fixes were adopted directly, and six additional findings were corrected before any release and therefore received no CVE identifiers.
- OpenSSL’s Tomáš Mráz and Matt Caswell publicly praised AISLE’s collaboration, and coverage notes no confirmed widespread exploitation linked to the patched flaws.