Stanislav Fort
๐ค SpeakerAppearances Over Time
Podcast Appearances
CVEs we already had in 2025 previously, this means that ILE, and by extension AI in general, is responsible for discovering 13 out of 14 zero-day vulnerabilities in OpenSSL in 2025.
Both the count and the relative proportion have been increasing as a function of time and are overall historically very atypical.
The 12 vulnerabilities span a significant breadth of OpenSSL's code base.
CVE 2025-15467.
Stack buffer overflow in CMS auth enveloped data parsing.
The overflow occurs prior to any cryptographic verification, meaning no valid key material is required to trigger it, making it potentially remotely exploitable against any application parsing untrusted CMS content.
For context, high severity or above CVEs in OpenSSL have historically averaged less than 1 per year.
CVE 2025-11187.
Stack buffer overflow and null pointer dereference in PBM AC1 parameter validation during PKCS number 12 MAC verification.
CVE for 2025-15 for 68, CVE for 2025-15 for 69, CVE for 2025-66199.
CVE 2025-68160 CVE 2025-69418 CVE 2025-69419 CVE 2025-69420 CVE 2025-69421 CVE 2026-22795 CVE 2026-22796 Listed primarily for completeness sake.
These span QUIC, PKCS number 12, PKCS number 7, CMS, TLS 1.3, and BIO subsystems, including heap overflows, type confusions, null dereferences, and a cryptographic bug where OCB mode leaves trailing bytes unencrypted and unauthenticated.
Three of these bugs date even back to 1998-2000, having lurked undetected for 25-27 years.
One of them, CVER 2026-22796, predates OpenSSL itself and was inherited from SS Lee, Eric Young's original SSL implementation from the 1990s.
Yet it remained undetected by the heavy human and machine scrutiny over the quarter century.
Even at low severity CVE is a higher bar than might be obvious.
The vast majority of reported issues don't qualify as security vulnerabilities at all.
Of those that do, most are bugs that get fixed without CVEs as standard PRS.
To receive a CVE from OpenSSL, an issue must pass their conservative security posture and be deemed important enough to track formally.
Low severity in OpenSSL still means a real, externally validated security vulnerability in well-audited critical infrastructure.