AES has been a major target of cryptanalysis, and it has held up pretty well. Publicly known key recovery attacks are only slightly faster than brute force, like [1]. There are some efficient related-key attacks, which might be a concern in certain applications, but not if keys are chosen randomly.
It's always possible that the NSA has found better attacks, but I don't think there's anything particularly suspicious about AES compared to other primitives. (For an example of a highly suspicious primitive, see Dual_EC_DRBG.)
It's always possible that the NSA has found better attacks, but I don't think there's anything particularly suspicious about AES compared to other primitives. (For an example of a highly suspicious primitive, see Dual_EC_DRBG.)
[1] https://eprint.iacr.org/2011/449