[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fY2kDt-yp3Y168CxMuo1oTUs86l4MVvuECMVDzCpRcoU":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"d196bce9-4836-4156-8eb2-e8fa9e450410","HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload","hollowbyte-ddos-flaw-bloats-openssl-server-memory-with-11-byte-payload-eb18b5","A vulnerability dubbed HollowByte allows unauthenticated attackers to trigger a denial-of-service (DoS) condition on OpenSSL servers with a malicious payload of just 11 bytes. [...]","A vulnerability dubbed HollowByte affects OpenSSL servers, allowing unauthenticated attackers to trigger denial-of-service by sending malicious 11-byte TLS handshake payloads that declare larger message sizes. The server allocates memory based on the declared size without validating the payload, and when combined with glibc's memory handling, causes heap fragmentation and permanent memory bloat. OpenSSL has silently patched the flaw in versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and Okta's Red Team recommends immediate upgrades given OpenSSL's critical role in NGINX, Apache, Node.js, Python, databases, and most Linux distributions.","HollowByte DoS flaw in OpenSSL allows 11-byte payload to exhaust server memory.","HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload By Bill Toulas July 17, 2026 01:56 PM 0 A vulnerability dubbed HollowByte allows unauthenticated attackers to trigger a denial-of-service (DoS) condition on OpenSSL servers with a malicious payload of just 11 bytes. The OpenSSL team has silently fixed the vulnerability (no identifier assigned) and backported the patch to older releases. Because the OpenSSL software is the foundational backbone for secure internet communication, organizations should prioritize switching to a fixed version of the library. HollowByte details In an advisory earlier this week, Okta’s Red Team described how the HollowByte DoS vulnerability works and its impact in a real-world scenario. The researchers explain that in a TLS handshake, each message has a 4-byte header for declaring the size of the incoming message. However, vulnerable OpenSSL versions allocate the declared length before receiving the payload and checking its size. Every TLS handshake message begins with a 4-byte handshake header, where a three-byte length field discloses the size of the handshake data that should follow. Without validating the payload, the server trusts the packet's claims and allocates the indicated memory. \"The worker thread then blocks, waiting indefinitely for data that will never arrive,\" Okta explains. An unauthenticated attacker can trigger HollowByte by opening a TLS connection and sending an 11-byte malicious input with a header declaring that a much larger message body will follow. The attacker repeats the same process across multiple connections, causing the server to allocate considerable amounts of memory via a relatively small volume of transmitted data. Okta researchers note that while OpenSSL frees the buffers when a connection drops, the GNU C Library (glibc) has a different way to handle memory and \"does not immediately return small-to-medium allocations to the operating system; it keeps them for potential reuse.\" “By launching waves of connections with randomized claimed sizes, an attacker prevents the allocator from reusing those freed chunks,” Okta says. “The heap fragments heavily, causing the server’s Resident Set Size (RSS) to climb continuously. Even after the attacker disconnects, the server remains permanently bloated.” The only way to fully reclaim the space is by restarting the process. Impact and fixes The open-source OpenSSL library is embedded in popular software projects such as NGINX and Apache web servers, language runtimes (e.g., Node.js, Python, Ruby, PHP), and databases (MySQL, PostgreSQL). It comes pre-installed on most Linux distributions for TLS encryption and certificate handling. In Okta’s tests on NGINX showed that low-capacity environments can be easily depleted of memory using HollowByte, while higher-spec servers may lose up to 25% of their memory while the attack bandwidth remains below security alerting thresholds. Although DoS flaws are considered less severe than vulnerabilities that enable data theft or code execution, they can cause operational disruptions and reputational damage. The HollowByte DoS issue has been fixed in OpenSSL 4.0.1 and backported to versions 3.6.3, 3.5.7, 3.4.6, and 3.0.21, which now grow the buffer only when the data arrives, ignoring header claims. Despite being addressed as a \"hardening fix\" and not a security vulnerability, Okta recommends \"upgrading your distribution's OpenSSL packages immediately.\" Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: FFmpeg fixes PixelSmash flaw in widely used video decoderF5 issues out-of-band patches for critical NGINX vulnerabilitiesphpBB forum fixes auth bypass bug lurking for a decadeNew 'HTTP\u002F2 Bomb' DoS attack crashes web servers in under a minuteCISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhollowbyte-ddos-flaw-bloats-openssl-server-memory-with-11-byte-payload\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F07\u002F17\u002Fopenssl-hollowbyte-headpic.jpg","2026-07-17T17:56:21+00:00","2026-07-17T18:00:09.624927+00:00",9,[18,21,24,26,28,31],{"name":19,"type":20},"OpenSSL","product",{"name":22,"type":23},"Okta","vendor",{"name":25,"type":20},"NGINX",{"name":27,"type":20},"Apache",{"name":29,"type":30},"glibc","technology",{"name":32,"type":20},"Node.js","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39,41],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[47],{"type":48,"value":49,"context":50},"malware","HollowByte","DoS vulnerability affecting OpenSSL servers via malformed TLS handshake messages"]