OpenAI Codex Security Scan Identifies 10,561 High-Severity Vulnerabilities in Open Source

AI Vulnerability Discovery: How Codex Security Finds Security Flaws

AI vulnerability discovery is the use of machine reasoning, code analysis, threat modeling, and exploit validation to identify security flaws in software repositories faster than traditional manual review or signature-based static analysis.

OpenAI Codex Security is an AI-powered application security analysis system that analyzes repository history commit-by-commit to understand how security-relevant code evolved over time, identifies potential vulnerabilities, validates exploitability in a sandbox environment, and proposes code fixes. The system builds a threat model of the target project before performing AI vulnerability scanning, allowing it to prioritize findings based on real-world exploitability rather than simple static patterns. Unlike traditional automated security review tools that match code against known signatures, Codex Security uses AI code analysis to reason about the specific architecture and trust boundaries of each scanned project — a distinction that directly affects the confidence level of each finding. The result is a significant reduction in false positives and a set of findings oriented toward actionable, high-confidence detections with proposed patches.

Key Findings From the Codex Security Scan

• 1.2 million code commits analyzed across open-source repositories in 30 days
• 10,561 high-severity security findings identified through AI vulnerability discovery
• 792 critical vulnerabilities discovered and surfaced to maintainers
• 14 findings assigned official CVE identifiers through the MITRE-coordinated CVE Program
• Major projects affected include GnuPG, GnuTLS, GOGS, PHP, Chromium, and OpenSSH
• OpenAI reported that false-positive rates were reduced by more than 50% compared with conventional static analysis tooling during internal testing
• Critical findings appeared in under 0.1% of scanned commits, reflecting high signal density

For decades, security researchers have known that open-source software hides vulnerabilities that nobody has looked for yet. The code is public, but systematic review capacity is limited. Audits are expensive, maintainers are often volunteers, and the sheer volume of commits across thousands of widely-deployed projects makes comprehensive review practically impossible. OpenAI's new Codex Security tool just demonstrated exactly how large that gap is.

Released on March 6, 2026, and now rolling out in research preview, Codex Security is an AI-powered application security agent that scans connected GitHub repositories commit by commit, builds a project-specific threat model, validates suspected vulnerabilities in a sandboxed environment, and proposes patches. The scan focused primarily on public GitHub repositories connected to the Codex Security research preview program, allowing the agent to analyze historical commit histories rather than only current code snapshots. This approach to AI security analysis represents a meaningful shift from signature-based tools: in its first 30 days of beta operation against external repositories, it found 792 critical findings and 10,561 high-severity findings across foundational open-source projects used by hundreds of millions of systems worldwide. Fourteen of those findings were serious enough to receive formal CVE identifiers through the MITRE-coordinated CVE Program.

The affected projects are not obscure: GnuPG, GnuTLS, GOGS, Thorium, libssh, PHP, Chromium, and OpenSSH. Software that sits at the base of Linux distributions, development pipelines, cryptographic communications, remote administration, and web infrastructure. The implications for defenders are immediate and operational.

What Codex Security Is and How It Works

Codex Security is the commercial evolution of a research agent OpenAI had been running internally under the codename Aardvark, which entered private beta in October 2025. Early internal deployments uncovered a server-side request forgery (SSRF) vulnerability and a critical cross-tenant authentication flaw, both of which the company's security team patched within hours of discovery.

The tool operates in three sequential stages. First, it analyzes a repository to understand the project's security-relevant architecture and generates an editable threat model that captures what the system does, what it trusts, and where it is most exposed. Second, it uses that threat model as a filtering lens to identify vulnerabilities and rank them by expected real-world impact — rather than flagging every theoretical weakness regardless of exploitability. Third, suspected vulnerabilities are validated through controlled proof-of-concept execution in a sandboxed environment designed to approximate the runtime conditions of the target system, and then the agent proposes fixes aligned with the existing code's behavior to minimize regression risk.

Codex Security builds deep context about your project to identify complex vulnerabilities, surfacing higher-confidence findings with fixes that meaningfully improve security. — OpenAI, March 2026

The distinction from conventional static analysis tools is significant. Traditional scanners pattern-match against known vulnerability signatures and produce enormous volumes of low-confidence alerts that security teams must manually triage. Codex Security grounds its detections in system context before surfacing them, meaning a flagged issue has already been evaluated against the specific architecture of the target project — not just compared against a generic rule set.

OpenAI also noted that the system features adaptive learning: when security teams adjust the criticality rating on a finding, the tool incorporates that feedback to refine future detections. This feedback loop is particularly important for reducing recurrence of over-reported severity in long-running deployments.

AI vulnerability discovery systems typically combine static analysis, semantic reasoning, and exploit validation. By analyzing dependency graphs, control flow paths, and input trust boundaries, these systems can detect security flaws that traditional pattern-matching scanners often miss.

How Reliable Are AI-Discovered Vulnerabilities?

The reliability of AI-generated vulnerability findings is a question security professionals ask immediately. Traditional static analysis tools frequently produce high false-positive rates because they lack runtime context and architectural understanding. Codex Security attempts to address this through a validation stage that executes proof-of-concept exploits inside a sandboxed environment designed to approximate the runtime conditions of the target system.

Sandbox reproduction does not guarantee real-world exploitability. Compiler variations, ASLR configuration, runtime environment differences, deployment architecture, and platform-specific mitigations all affect whether a finding translates into a confirmed exploit in production. Validation under controlled sandbox conditions raises confidence but does not eliminate uncertainty — which is why independent reproduction and maintainer verification remain the gold standard in security research practice.

It is also important to distinguish between previously unknown vulnerabilities and rediscovered issues. AI-assisted scanning frequently surfaces both. Some findings represent entirely new security flaws, while others reproduce vulnerabilities that had been previously reported but not fully analyzed across all affected code paths. The beta metrics are notable: an 84% noise reduction on some repositories, over 90% reduction in over-reported severity findings, and OpenAI reported that false-positive rates were reduced by more than 50% compared with conventional static analysis tooling during internal testing. Critical findings appeared in under 0.1% of scanned commits. Vulnerabilities that received CVE assignments have typically undergone additional verification by maintainers or security researchers before public disclosure, which is why the 14 formal CVEs from this beta carry particular weight.

CVE-2026-24881: The GnuPG Flaw You Need to Patch Today

The headline finding from Codex Security's open-source scanning work is CVE-2026-24881 in GnuPG, a high-severity CVE security advisory affecting GnuPG versions 2.5.13 through 2.5.16. Full technical details are available at the NVD entry for CVE-2026-24881. The severity scoring picture for this CVE varies across sources and should be understood in that context: the Amazon Linux ALAS advisory assigns a CVSSv3 base score of 8.1 (High); the Rescana commercial aggregator assigns it 9.8 (Critical); the SUSE advisory describes the issue as "important severity" without a numeric score; and Red Hat's advisories covering related GnuPG vulnerabilities from this period use the same "Important" label without committing to a specific score for this CVE. The NVD record itself is currently in "Received" status as of March 11, 2026, meaning NIST has not yet completed its own analysis and has not assigned a score — so readers checking different sources will encounter different numbers until that analysis is finalized. CVSS scores describe theoretical severity under standardized conditions and do not necessarily reflect real-world exploitability in a given deployment. Regardless of which source's score you use, this vulnerability should be treated as a priority patch: it is a stack-based buffer overflow in a widely deployed cryptographic component with no authentication requirement for triggering it.

The vulnerability exists in the gpg-agent component of GnuPG versions 2.5.13 through 2.5.16. It is triggered when gpg-agent processes a specially crafted CMS (S/MIME) EnvelopedData message containing an oversized wrapped session key during PKDECRYPT--kem=CMS handling. The oversized key causes a stack-based buffer overflow — a condition in which input exceeding a fixed-size stack buffer overwrites adjacent stack memory, potentially corrupting return addresses or stack frame metadata used for control flow.

At minimum, a remote attacker can exploit this for reliable denial of service by crashing gpg-agent. Under conditions where the memory layout is favorable — which depends on the target system's compiler version, address space layout randomization configuration, and stack protector settings — the memory corruption opens a path to remote code execution. The vulnerability is triggered when gpg-agent processes a crafted CMS (S/MIME) EnvelopedData message. Systems that use gpg-agent for S/MIME decryption workflows are potentially exposed; no authentication is required from the attacker to send such a message.

GnuPG is embedded deeply in Linux package management, encrypted email workflows, software signing pipelines, and backup verification systems. Any environment using GnuPG for S/MIME decryption — which includes many corporate email security setups and automated processing pipelines — should treat this as a priority-one patch. If immediate upgrade to 2.5.17 is not possible, disabling S/MIME decryption processing in gpg-agent is the recommended temporary mitigation.

GnuTLS: Three High-Severity Cryptographic Library Flaws

GnuTLS is the cryptographic library underlying secure communications across a wide range of Linux distributions and server software. Codex Security identified three significant vulnerabilities, all assigned CVEs and now addressed in GnuTLS 3.8.10.

CVE-2025-32988 is a double-free vulnerability in the otherName Subject Alternative Name export code path. Double-free conditions occur when memory is deallocated twice, and in C-based code without garbage collection this typically corrupts the allocator's internal state — which can corrupt allocator state and potentially enable controlled heap manipulation in vulnerable contexts.

CVE-2025-32989 is a heap buffer overread in the Signed Certificate Timestamp (SCT) extension parsing code. Overread vulnerabilities allow an attacker to cause the library to read memory beyond the intended buffer boundary, potentially leaking sensitive data from adjacent memory regions — including private key material or session secrets depending on heap layout at the time of the read.

CVE-2025-32990 is an off-by-one heap buffer overflow in the certtool utility's certificate parsing logic. Off-by-one overflows are a classic class of memory corruption where a boundary check is wrong by exactly one element, allowing a single byte or element of data to be written just past the end of an allocated buffer. While often harder to exploit than larger overflows, they remain a serious class of vulnerability in cryptographic code where the consequences of memory corruption can include key material exposure.

Why These Bugs Survived Decades of Review

Many of the vulnerabilities identified here exist in rarely exercised code paths rather than in the main execution flow. In the GnuPG case, the vulnerable logic is located in the S/MIME processing pipeline inside gpg-agent — functionality that many environments do not routinely exercise during testing. Several factors commonly allow these classes of bugs to persist for years.

Low execution frequency is a primary factor: code paths triggered only by unusual protocol inputs rarely surface during standard functional testing. Complex data structures compound the problem — ASN.1 parsing and certificate handling logic historically produce subtle memory errors that are difficult to detect through conventional review. Legacy C codebases like GnuPG and GnuTLS predate modern memory-safe language practices and carry decades of accumulated technical assumptions. Limited fuzzing coverage plays a role as well, since fuzzers often miss logic that requires specific protocol preconditions to reach. AI-assisted reasoning systems can model these code paths in ways that traditional fuzzing and static analysis tools cannot, allowing them to identify exploitable conditions that previously required extensive manual audit to surface. For organizations focused on secure software supply chain risk, this class of latent vulnerability in foundational cryptographic libraries represents a category of exposure that has historically been invisible to automated tooling.

GOGS: A Self-Hosted Git Service Under Active Attack

GOGS is a lightweight, self-hosted Git service written in Go, popular in on-premises development environments and cloud deployments as an alternative to GitLab or GitHub Enterprise. It has accumulated a significant number of serious vulnerabilities over the past year, and several are now under active exploitation in the wild.

The most operationally dangerous is CVE-2025-8110 (CVSS 8.7), a path traversal vulnerability in GOGS's PutContents API stemming from improper handling of symbolic links. An authenticated attacker can create a Git repository, commit a symbolic link pointing to a sensitive target outside the repository, and then use the PutContents API to write arbitrary data through that symlink. The underlying operating system follows the symlink and overwrites the target file. A common exploitation pattern involves targeting the Git configuration file and modifying the sshCommand setting to gain arbitrary code execution on the server.

This vulnerability was discovered by the Wiz Threat Research team in July 2025 while investigating an active malware infection on a customer's GOGS instance. Wiz observed multiple waves of exploitation activity with payloads linked to the Supershell command-and-control framework deployed across compromised servers. CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog on January 12, 2026, and directed Federal Civilian Executive Branch agencies to remediate by February 2, 2026. A patch became available in GOGS version 0.13.4 on January 23, 2026.

Codex Security's scanning also surfaced two additional GOGS vulnerabilities. CVE-2025-64175 (CVSS 7.7) is a cross-account 2FA bypass: in GOGS versions 0.13.3 and prior, two-factor authentication recovery codes were not properly scoped to individual user accounts. An attacker who has obtained a victim's username and password can use any unused recovery code from their own account to bypass the victim's 2FA entirely, achieving full account takeover. The fix is in GOGS 0.13.4 and the 0.14.0 development branch.

CVE-2026-25242 is an unauthenticated file upload vulnerability. When GOGS is configured with the default RequireSigninView setting disabled — which is the default state — any remote user, authenticated or not, can upload files through exposed endpoints.

Recovery codes in GOGS 0.13.3 and prior were not scoped to individual accounts. An attacker with a victim's credentials could bypass that user's 2FA using codes from their own account. — Security advisory, CVE-2025-64175

For GOGS administrators, the remediation path is clear: upgrade to 0.13.4 immediately, enable RequireSigninView, restrict the service to internal networks or VPN access, and consider migrating to Gitea — the actively maintained fork of GOGS — which has a significantly more active security response process. Given the active exploitation of CVE-2025-8110 and the availability of 2FA bypass techniques, GOGS instances with open internet exposure and open registration should be treated as compromised until verified otherwise.

In most cases, vulnerabilities identified during automated analysis follow the same responsible disclosure process as traditional security research: maintainers are notified privately, patches are prepared, and CVE identifiers are assigned before public disclosure. The GOGS and GnuPG findings above are consistent with that workflow, which is reflected in the coordinated release of patches alongside the CVE announcements.

PHP, OpenSSH, Chromium, Thorium, and libssh

Codex Security's beta scanning extended well beyond the three headline projects. The full scope of affected software reflects how broadly these vulnerabilities touch modern infrastructure.

OpenSSH was also flagged in Codex Security's open-source scanning work. Codex Security reported findings affecting OpenSSH Portable during the beta scan, although the specific vulnerabilities have not been publicly detailed. Given how broadly OpenSSH is deployed for remote server administration, configuration management tooling, and automated pipelines, organizations should verify their installed OpenSSH version against the latest upstream release and apply distribution security updates on their standard maintenance schedule.

PHP vulnerabilities were found across all actively maintained branches. Affected versions include 8.1.x before 8.1.34, 8.2.x before 8.2.30, 8.3.x before 8.3.29, 8.4.x before 8.4.16, and 8.5.x before 8.5.10. Any end-of-life PHP version is also affected and has no patch path — organizations running PHP 7.x or earlier should treat those systems as unpatched regardless of other mitigations. PHP powers a substantial portion of the web's server-side infrastructure, and unpatched PHP installations are a perennially popular target for initial access in web application attacks.

Thorium, a performance-optimized Chromium fork used by some developer and enthusiast communities, was found to contain seven vulnerabilities tracked as CVE-2025-35430 through CVE-2025-35436. These cover a range of issues including path traversal in file download handling, LDAP injection in authentication code paths, unauthenticated denial of service via email verification abuse, session fixation on password change, and disabled TLS verification in the Elasticsearch client component. Fixes are available in Thorium 1.1.2.

libssh vulnerabilities affect all versions below 0.11.2 and any build using an OpenSSL version prior to 3.0. libssh is a C library implementing the SSH protocol used in a wide range of applications and automation tooling. Organizations with custom SSH implementations built on libssh should verify both the library version and the underlying OpenSSL linkage.

Chromium vulnerabilities were identified across versions prior to the latest March 2026 stable release. Because Chromium serves as the foundation for Chrome, Edge, Brave, Opera, and many other browsers, these findings have an extremely broad exposure surface. Browser vendors typically release security updates within days of upstream Chromium patches; the key action for defenders is ensuring automatic browser updates are not being suppressed in enterprise environments.

Table: Major vulnerabilities discovered during Codex Security analysis

CVE	Project	Score	Type	Fixed In
CVE-2026-24881	GnuPG	8.1 (ALAS) / 9.8 (Rescana) — NVD pending	Stack buffer overflow / RCE	2.5.17
CVE-2026-24882	GnuPG	—	Related memory corruption	2.5.17
CVE-2025-32988	GnuTLS	High	Double-free in SAN export	3.8.10
CVE-2025-32989	GnuTLS	High	Heap buffer overread in SCT parsing	3.8.10
CVE-2025-32990	GnuTLS	High	Off-by-one heap overflow in certtool	3.8.10
CVE-2025-8110	GOGS	8.7	Path traversal / RCE (KEV)	0.13.4
CVE-2025-64175	GOGS	7.7	Cross-account 2FA bypass	0.13.4
CVE-2026-25242	GOGS	High	Unauthenticated file upload	Patch pending
CVE-2025-35430–35436	Thorium	High	Multiple: path traversal, LDAP injection, DoS, session fixation	1.1.2

The AI Security Race: OpenAI vs. Anthropic

Automated vulnerability discovery is not new. Techniques such as fuzzing, symbolic execution, and rule-based static analysis have been used for decades. Tools like CodeQL and Semgrep have made pattern-based code analysis broadly accessible. What distinguishes reasoning-based AI systems is their ability to model program behavior across multiple code paths simultaneously and prioritize vulnerabilities based on likely exploitability rather than simple pattern matches. The shift is not from no automation to automation — it is from shallow syntactic analysis to contextual semantic reasoning at scale.

The release of Codex Security did not happen in isolation. Earlier in 2026, Anthropic had launched Claude Code Security, its own AI-powered tool for scanning codebases, identifying vulnerabilities, and recommending patches — built into Claude Code, Anthropic's command-line and web-based development assistant. The back-to-back launches from the two leading AI labs signal that automated vulnerability discovery is becoming a strategic priority — and a commercial market — for frontier AI companies. The market took note: following the Anthropic launch, cybersecurity sector stocks declined in the ensuing trading sessions, reflecting investor speculation that reasoning-based vulnerability discovery could reshape parts of the application security tooling market.

The underlying technical approaches differ in meaningful ways. Codex Security integrates directly with GitHub repositories and scans commit by commit in an ongoing fashion, building persistent context about a project over time. Claude Code Security operates through Claude Code (Anthropic's tooling), oriented toward both developer-initiated scanning sessions and continuous analysis, and is currently available to Enterprise and Team customers. Both tools reduce false positive rates significantly compared to traditional static analysis, and both can generate exploit hypotheses and proof-of-concept demonstrations to assist security teams in validating whether a vulnerability is reachable and exploitable.

The scale of AI-driven vulnerability discovery is also building outside these two products. Anthropic's Frontier Red Team, using Claude Opus 4.6, found over 500 high-severity vulnerabilities in production open-source codebases before the product launch — bugs that had survived decades of expert review. Separately, AI security startup AISLE reported that its system discovered all 12 zero-day vulnerabilities in OpenSSL's January 2026 security patch, including a high-severity stack buffer overflow. These are not outliers. They are early indicators of a systemic shift in who finds vulnerabilities and how fast.

What is new here, and what makes both tools consequential, is not merely that AI can find bugs. Static analysis has existed for decades. What is new is that AI can reason about exploitability in system context — it can understand what a piece of code actually does, who calls it, what data flows through it, and whether a theoretical weakness is reachable and weaponizable in that specific deployment. That context-awareness is what distinguishes a 9.8 CVSS finding from the background noise of low-confidence alerts that security teams have been tuning out for years.

We wanted to make sure that we're empowering defenders. — Ian Brelinsky, OpenAI Codex Security team, Axios, March 2026

There is also a meaningful question about what it means for this capability to be widely available. The same reasoning ability that helps defenders find and patch vulnerabilities before attackers find them also reduces the barrier for attackers to analyze code for exploitable weaknesses at scale. There is currently no public evidence that threat actors are deploying reasoning-based vulnerability discovery systems at scale, but the barrier to entry for automated code analysis continues to fall as general-purpose AI models improve. The security community has long debated the dual-use nature of vulnerability research tooling, and AI-powered scanning amplifies both sides of that equation simultaneously. OpenAI's decision to release proof-of-concept generation as a feature — framed as evidence for security teams to validate risk — is a deliberate position in that debate. Anthropic has taken a parallel stance, building detection probes directly into its models to identify and block misuse at inference time, while deliberately limiting early access to vetted enterprise customers.

The open-source maintainer perspective also deserves attention. Both tools target a real and acknowledged pain point: maintainers consistently report that the problem is not too few vulnerability reports, but too many low-quality ones that create triage burden without providing actionable remediation paths. Both OpenAI and Anthropic have responded to this by building programs offering free access for OSS maintainers specifically — a signal that both companies understand the upstream infrastructure risk, and that securing foundational software is partially a public good problem, not only a commercial one.

What This Actually Changes for Defenders

The standard advice after a disclosure like this is familiar: patch the listed versions, apply vendor mitigations, update your asset inventory. That advice is correct. But the more consequential question buried in this story is structural, not tactical: if AI can now find these classes of vulnerabilities at the rate Codex Security demonstrated, what does that mean for how organizations think about the time between a vulnerability existing and being exploited?

The traditional model of vulnerability management assumes a discovery lag. A flaw exists in code for months or years before a researcher finds it, a CVE is issued, vendors patch, and organizations update. The lag gives defenders a window — often an imperfect one, but a window nonetheless. AI-powered scanning compresses that lag on both sides simultaneously. Defenders can now find latent flaws in their own systems faster than ever. But attackers with access to the same capabilities can find those same flaws in publicly available code with equal speed. The 10,561 findings Codex Security found in 30 days were in public open-source repositories — scanning 1.2 million commits represents analysis across thousands of repositories and many years of cumulative development history. The code was always public. The tool just made it tractable to reason about at scale.

This raises a question that most security teams are not yet systematically asking: what is your organization's current inventory of third-party open-source dependencies that have not been assessed by any reasoning-based tool? Traditional software composition analysis (SCA) tools like Dependabot, Snyk, or OWASP Dependency-Check identify known vulnerable versions by checking against CVE databases. They are reactive — they find versions that are already known to be bad. Reasoning-based tools find vulnerabilities that are not yet in the CVE database. The projects affected by Codex Security's findings were not flagged by SCA tools before disclosure. They had no CVEs. They were simply unscrutinized.

There is also an internal threat surface question that most organizations are not addressing. When a security team adopts a reasoning-based scanning tool that can generate proof-of-concept exploits, that tool exists inside the organization's perimeter. The question every security director should evaluate before deployment: what is the governance model for how findings are handled, who has access to unredacted proof-of-concept output, and how are findings stored and retained? Alert triage workflows built for traditional scanner output are not designed with this context in mind. The risk is not that the tool is dangerous in isolation — it is that the workflow around it may not be mature enough for the capability it provides.

A deeper solution architecture also goes beyond the patch cadence conversation. Organizations that want to move from reactive to anticipatory security posture should consider three structural changes that most patch advisories never mention. First, implement software bill of materials (SBOM) generation at build time so the attack surface from the dependency graph is known continuously, not reconstructed during an incident. Second, apply network segmentation and zero-trust principles to limit lateral movement even in scenarios where an initial exploit succeeds — a CVSS 9.8 vulnerability that requires network access to exploit is significantly less dangerous in an environment where network segments are tightly controlled. Third, invest in detection engineering around exploitation patterns specific to the vulnerability classes now being surfaced at scale — stack buffer overflows, path traversal, and authentication bypass all have behavioral signatures that can be instrumented in endpoint detection and network monitoring tools even before patches are applied.

The Attacker Timeline Problem

The traditional vulnerability lifecycle assumed a meaningful delay between discovery and weaponization. AI-assisted analysis compresses this timeline dramatically. Once a vulnerability is publicly disclosed — or even hinted at through a patch advisory — attackers can analyze the affected codebase using similar reasoning models to rapidly produce exploit candidates. The patch advisory for CVE-2026-24881 was accompanied almost immediately by public proof-of-concept code. That gap between disclosure and potential exploitation attempts is now measured in hours, not weeks.

In practice, the defensive timeline now runs through three stages in rapid succession: AI finds the vulnerability, maintainers publish patches or advisories, and adversaries use reasoning models to derive working exploit paths from the same public code. For high-value infrastructure software, this cycle can occur in days. Monthly maintenance windows were designed for a world where the average time-to-exploit was measured in weeks or months after disclosure. That model requires re-examination for critical-severity findings with public exploit code.

Where AI Code Scanning Should Be Deployed First

Organizations adopting reasoning-based vulnerability discovery should prioritize repositories that represent the highest exposure and the highest potential for latent debt. Security-sensitive components — authentication, cryptography, session management, and networking — warrant first attention. Legacy C and C++ codebases carry a disproportionate concentration of the vulnerability classes AI scanning surfaces best: memory corruption, off-by-one errors, and unsafe pointer handling. Infrastructure libraries used by multiple internal services deserve early scanning because a single finding there cascades across the organization's attack surface.

Public-facing services exposed to untrusted input are an obvious priority. Less obvious but equally important is internally developed infrastructure code that has accumulated technical debt over time without ever receiving a formal security audit. The highest return on investment typically comes from code that has been running in production for years, is rarely modified, and has never been analyzed with reasoning-based tools. That description fits a large proportion of enterprise infrastructure.

What AI Code Auditors Still Miss

Despite the scale of findings reported by AI-assisted scanners, several vulnerability classes remain difficult for automated reasoning systems. Business logic flaws require domain understanding that is not visible from a single repository — the tool can read the code, but it cannot always reason about whether a sequence of operations violates a business rule that exists only in a product specification or institutional memory. Authentication workflow abuse that requires understanding multi-step user journeys across systems presents a similar challenge.

Multi-system race conditions and cross-service trust boundary violations often require architectural context spanning multiple codebases and runtime environments simultaneously. AI scanning tools operating on individual repositories cannot fully model these inter-system behaviors. The result is that reasoning-based tools should be viewed as a powerful augmentation to human security review, not a replacement for it. The vulnerability classes they miss tend to be the ones that require the most architectural judgment — which is precisely where experienced security engineers still add unique value.

The Open-Source Maintainer Impact

AI-generated vulnerability discovery has the potential to dramatically increase the volume of reports submitted to open-source maintainers. While higher-quality findings may reduce noise compared to traditional scanners, the absolute number of discoveries may increase significantly as these tools become more widely deployed. Both OpenAI and Anthropic have partially anticipated this by building programs that offer free access for OSS maintainers — a signal that both companies recognize the upstream infrastructure risk and that securing foundational software is partly a public good problem.

The operational challenge remains real. Many foundational infrastructure projects are maintained by small teams or individual volunteers who already report that triage burden is a significant constraint on their ability to respond to security reports. Responsible disclosure workflows, coordinated patch releases, and security triage processes will need to scale to accommodate a higher discovery rate. Organizations that depend on open-source infrastructure — which is to say, effectively all organizations — have an indirect interest in this outcome and some responsibility for contributing to it through sponsorship, coordination, and disclosure support.

What This Means for the Application Security Market

Traditional application security tooling vendors have historically relied on signature-based static analysis and dependency scanning. Reasoning-based vulnerability discovery challenges this model by automating the types of code review that previously required specialized security researchers billing significant hourly rates. When Anthropic launched Claude Code Security earlier in 2026, cybersecurity sector stocks declined in the days following the announcement, reflecting investor speculation that reasoning-based vulnerability discovery could reshape parts of the application security tooling market.

If these capabilities continue to improve, the application security tooling landscape may consolidate around platforms that combine reasoning-based vulnerability discovery, exploit validation, automated patch generation, and dependency intelligence in a single workflow. Vendors that rely primarily on rule-based scanning may face increasing competitive pressure regardless of their installed base size.

The Memory Safety Question

A notable pattern across the vulnerabilities surfaced by Codex Security is the prevalence of memory corruption bugs. Stack overflows, heap overreads, double-free conditions, and off-by-one errors are common in software written in memory-unsafe languages. CVE-2026-24881 is a stack buffer overflow. The three GnuTLS flaws are a double-free, a heap overread, and an off-by-one heap overflow. These classes of bugs are largely eliminated in memory-safe languages like Rust, Go, and Java through language-enforced bounds checking and ownership models that make this category of error structurally impossible.

As AI-assisted code auditing becomes more common, the security cost of maintaining large legacy C codebases becomes increasingly visible and increasingly quantifiable. Organizations evaluating long-term infrastructure strategies now have a more concrete basis for assessing the cost-benefit calculation on memory-safe rewrites or incremental migration. The NSA, CISA, and several major technology companies have published guidance recommending a shift toward memory-safe languages for new development. The scale of findings from a single 30-day beta scan provides empirical support for why.

The Questions Security Leaders Should Be Asking Right Now

This disclosure is not only a patch list. It is a prompt for structural questions that most security programs are not yet systematically asking.

• How quickly can your organization detect vulnerabilities that have not yet received CVE identifiers — before they appear in KEV catalogs and attacker toolkits?
• Which internal repositories have never been analyzed with reasoning-based scanning, and how many of them handle authentication, cryptographic operations, or network input?
• What governance model exists for handling AI-generated proof-of-concept exploit code — who has access to unredacted findings, and how are they stored and retained?
• Which third-party open-source dependencies in your software bill of materials have never undergone any form of security audit beyond SCA version matching?
• Does your patch cadence include a mechanism for emergency response to critical-severity findings with active exploit code, separate from the standard monthly maintenance window?

Key Takeaways

1. Patch GnuPG to 2.5.17 now. CVE-2026-24881 is a high-severity stack-based buffer overflow. Severity scores vary by source — Amazon Linux ALAS rates it CVSSv3 8.1, while other aggregators rate it as high as 9.8; NVD has not yet completed its own assessment as of March 11, 2026. Any system processing S/MIME messages through gpg-agent is potentially exposed. There is no justification for delay regardless of which score applies. If immediate upgrade is not possible, disable S/MIME decryption processing in gpg-agent as a temporary measure and monitor gpg-agent process crash logs for exploitation indicators.
2. Update GnuTLS to 3.8.10. Three memory corruption vulnerabilities in the cryptographic library that underpins TLS across major Linux distributions. All three are fixed in 3.8.10 and distribution-packaged updates should be available from Debian, Ubuntu, Fedora, and RHEL security repositories. Verify the installed library version explicitly — some environments have GnuTLS pinned by dependency constraints that may require manual intervention.
3. GOGS requires immediate action and a migration plan. CVE-2025-8110 is in CISA's KEV catalog and under active exploitation with real malware payloads. Upgrade to 0.13.4, enable RequireSigninView, restrict network access to internal networks or VPN, and begin evaluating Gitea as a long-term replacement. Instances with open internet exposure and open registration should be treated as potentially compromised until forensically verified. The migration to Gitea is the only defensible long-term posture given GOGS's security response trajectory and the simultaneous active exploitation of multiple CVEs.
4. PHP, Chromium, OpenSSH, Thorium, libssh: verify your versions. The Codex Security findings extend across the full web and development stack. Any PHP branch below the patched versions, any Chromium-based browser not on the March 2026 stable release, any OpenSSH Portable installation not on the latest upstream, any Thorium install below 1.1.2, and any libssh build below 0.11.2 or built against OpenSSL below 3.0 should be updated on the next available maintenance window. Automate version verification through your configuration management platform so these checks run continuously.
5. Build or update your SBOM and run it against these findings. If your organization does not have a current software bill of materials for production systems, use this disclosure as a forcing function to establish one. SBOM generation at build time is the only reliable way to know whether any of these affected versions are present in your environment and to verify that your patching response is complete. Tools like Syft, CycloneDX, or SPDX tooling can be integrated into CI/CD pipelines at low cost.
6. Treat AI-powered scanning as an accelerant, not just a tool. The 10,561 high-severity findings across 1.2 million commits is a statement about how much surface area exists that has never been assessed with reasoning-based analysis. Both OpenAI and Anthropic now offer these capabilities, and adversaries with equivalent tools are not waiting for enterprise procurement cycles. Defenders who integrate reasoning-based scanning into their development pipelines and vendor assessment processes now will find and close vulnerabilities before they appear in KEV catalogs rather than after. The organizations that treat this moment as a patch-list exercise rather than a structural shift in their security program will find themselves perpetually behind the curve.

The open-source software supply chain has always carried latent risk from code that was written correctly enough to function but not carefully enough to be secure. What Codex Security demonstrated in 30 days of beta scanning is that the latent risk is measurable, the flaws are real, and the tools to find them at scale now exist on both sides of the attacker-defender line. The defenders who move first — not just on patching, but on building the infrastructure to know what they're running and assess it continuously — will be the ones who close these windows before attackers find the same doors.

Questions Security Teams Should Be Asking

The following commands verify installed versions of the software most directly affected by these findings:

gpg --version
gnutls-cli --version
ssh -V
php -v

• Do we have a current SBOM for every production system, and is it generated automatically at build time or manually maintained?
• Which dependencies in our stack have never undergone a formal security review — not a scan, but an actual code audit?
• What is our documented patch response time for critical vulnerabilities with active exploit code in the wild, and when did we last test whether we actually meet it?
• Are reasoning-based vulnerability scanners — from OpenAI, Anthropic, or comparable tools — part of our secure development lifecycle, or are we still relying entirely on signature-based static analysis?
• If an adversary ran Codex Security or an equivalent tool against our codebase today, what would they find that we have not already found?
• Do we have visibility into whether any of our vendors or open-source dependencies are running software with versions known to be affected by the CVEs disclosed in this report?
• Is our incident response plan updated to account for the compressed timelines that AI-accelerated exploit development now makes realistic?

Quick Answers

What is Codex Security?

Codex Security is an AI-powered application security agent developed by OpenAI. It connects to GitHub repositories, scans code commit by commit, builds a project-specific threat model, validates suspected vulnerabilities in a sandboxed environment, and proposes patches. It differs from traditional static analysis tools by reasoning about each project's architecture and trust boundaries rather than matching code against known signatures — which reduces false positives and surfaces high-confidence, actionable findings.

How does AI vulnerability scanning work?

AI vulnerability scanning uses large language models trained on code to reason about software behavior. Rather than matching patterns against a known signature database, the model analyzes control flow, data handling, memory management, and trust boundaries across the full project context. Codex Security specifically builds a threat model per repository before surfacing findings, then validates suspected vulnerabilities by running proof-of-concept code in an isolated sandbox. Findings that survive sandbox validation are surfaced to developers along with a suggested patch.

What vulnerability did Codex Security find in GnuPG?

Codex Security identified CVE-2026-24881, a stack-based buffer overflow in the GnuPG gpg-agent component. The flaw is triggered by a specially crafted S/MIME EnvelopedData message. Severity scores differ across sources: Amazon Linux ALAS assigns a CVSSv3 base score of 8.1 (High); other commercial aggregators rate it as high as 9.8 (Critical); SUSE describes it as "important severity" without a numeric score; and NVD had not completed its own scoring assessment as of March 11, 2026. The vulnerability is patched in GnuPG version 2.5.17 and later. Systems running older versions with gpg-agent exposed to untrusted S/MIME input should be treated as a priority patch target regardless of which score is used as a reference.

Frequently Asked Questions

What is OpenAI Codex Security?

Codex Security is an AI-powered code analysis system developed by OpenAI that scans software repositories for vulnerabilities using AI vulnerability scanning techniques, validates exploitability in a sandbox environment, and recommends patches to developers. It differs from traditional static analysis by building a full threat model of each project before surfacing findings, which substantially reduces false positive rates compared to signature-based tools.

How many vulnerabilities did Codex Security find?

During early testing the system analyzed more than 1.2 million commits and surfaced over 10,000 high-severity findings, including 792 classified as critical. Fourteen findings received formal CVE security advisory identifiers through the MITRE-coordinated CVE Program. Independent verification by software maintainers is ongoing.

What software was affected by the findings?

The AI code auditing scan identified vulnerabilities across widely used open-source projects including GnuPG, GnuTLS, GOGS, PHP, Chromium-based browsers, libssh, Thorium, and OpenSSH. Many of these projects form the foundation of Linux distributions, remote administration infrastructure, encrypted communications, and web server stacks globally.

Why is AI vulnerability discovery significant?

AI systems can analyze large codebases much faster than manual review, reducing the time between when a vulnerability exists and when it is discovered. This accelerates both defensive patching and potential attacker discovery. Organizations that integrate reasoning-based AI security analysis into their secure development lifecycle can find and close vulnerabilities before they appear in exploitation catalogs rather than after. The same capability available to defenders is available to adversaries, which makes adoption timing consequential.

What is the relationship between Codex Security and the software supply chain?

Secure software supply chain security depends on knowing what components are running and whether those components contain known vulnerabilities. Codex Security's scan of foundational open-source libraries like GnuPG and GnuTLS illustrates how latent risk accumulates in software that forms the base layer of millions of systems. Automated security review at this scale makes the previously unmeasurable measurable. Most vulnerabilities were disclosed to maintainers through coordinated vulnerability disclosure processes prior to public reporting.