Why is wolfSSL reporting so many CVEs?

    • Why are we reporting so many CVEs?

    If you follow wolfSSL, you’ve probably noticed the number of CVEs we file per release has ramped up this spring 2026. From 5.8.0 (April 2025) to 5.9.1 (April 2026) we’ve experienced nearly geometric growth in reported CVEs per wolfSSL release.

    So what’s going on? Should users of wolfSSL be concerned? In a word, AI is what’s happened. And no, we don’t think you should be worried. In this blog post we’ll walk through how the security scene has been evolving with AI, and what steps wolfSSL is taking to adapt to this exciting new world. We’ll also discuss how internally we’re starting to see signs of saturation in the rate of reported CVEs, as the growth of these tools is hitting diminishing returns.

    How did we get here?

    In short, over the last six years we’ve evolved over three phases of vulnerability reporting:

    1. Pre-AI Era: vulnerabilities were mainly found through guided fuzzers and manual inspection. The human effort per individual CVE was very high, but the significance of individual CVEs was high as well.
    2. Slop Era: Somewhere around early 2024 open source maintainers began to notice a steadily growing influx of low effort AI vulnerability reports (slop). This trend of AI slop reporting probably reached a crescendo around mid 2025. At this point the threat of AI was mainly a denial of service attack on human attention span, as everyone was exhausted reviewing bogus reports.
    3. Mythos Era: Around the Fall of 2025 we noticed an uptick in real vulnerabilities. For example, wolfSSL release 5.8.4 filed 8 CVEs, all low to medium severity. By early Spring 2026 the situation had changed significantly: release 5.9.0 had 15 CVEs (3 High), and release 5.9.1 had 22 (1 Critical, 10 High)! The new models were churning out both higher volume and higher quality reports.


    That brings us to the present day, where a single release like 5.9.1 has more CVEs filed than in an entire previous year.

    Where do we go from here?

    So what does the future look like? The CVE system was likely never intended for a world of mass AI reporting, and there will be a period of awkward adjustment. Some amount of CVE inflation and dilution will be unavoidable. Also, there are legitimate concerns that large organizations will simply fix vulnerabilities silently without ever disclosing at all.

    We at wolfSSL have taken the following stance as we adapt to this exciting new world:

    Transparency
    We at wolfSSL have opted for maximum transparency: we will continue to fix and disclose CVEs promptly, and conduct business as usual, whether that means we have 2 or 20 CVEs in a release. We think the best posture is to simply be open and transparent with our users about what is happening to the industry. Hence you can expect we’ll be entering a phase of heightened CVE reporting as we ride out this storm. We don’t really know the right rate of fix & disclosure in this era of AI mass reporting, and we welcome feedback if our cadence is too fast.

    Optimism
    Overall we maintain an optimistic outlook, and the reasons are:

    • AI models can only do large power jumps so many times. Also, practical restrictions like compute and token limits are starting to be felt.
    • The low hanging fruit of easily found vulnerabilities is being rapidly cleared out.
    • Internally we are seeing the rate of CVE discovery starting to taper off.
    • Finally, new internal AI powered tools are finding issues pre-emptively before they land in released code, which we’ll discuss next.

    Fight Fire with Fire
    We’re aggressively adopting AI into our internal workflows, and new AI tools like Fenrir and Skoll now regularly patrol our software base, sniffing out problems before they land in live not-yet-released code. We believe the real value of AI for security and systems programming will be in testing and review, and the problem of high CVE reporting will largely become self-correcting as AI tools are increasingly used to pre-emptively find issues before they escape into the wild.

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now