[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fO6lhoXR9XNLd9N2PVU7tulaE8RH6Y2GtQpKc70FqEu8":3},{"article":4,"iocs":38},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"9a6bad82-bbca-419d-9990-aeaa86aa32a7","OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests","openssl-hollowbyte-flaw-could-freeze-server-memory-with-11-byte-tls-requests-d32c62","Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the","OpenSSL shipped a fix in June 2026 for HollowByte, a denial-of-service vulnerability that allows attackers to freeze server memory by sending crafted TLS handshake headers claiming large message bodies that never arrive. The flaw, reported by Okta's Red Team, causes OpenSSL to allocate up to 131 KB per connection, and on glibc systems the memory fragments and is not reclaimed until process restart, enabling attackers to exhaust system memory without triggering connection limits. OpenSSL classified this as a \"bug or hardening\" fix rather than a vulnerability, omitting CVE assignment, advisory, and changelog documentation.","OpenSSL HollowByte flaw allows 11-byte TLS requests to exhaust server memory without CVE assignment.","OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests Swati KhandelwalJul 17, 2026Vulnerability \u002F Server Security Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the details on Thursday. The fixed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, all dated June 9. Every release on those branches before the fixed ones has it. Nothing in a normal patch pipeline will point you at them: there is no identifier for a scanner to match and no advisory to read. The flaw is that OpenSSL took the attacker's word for it. Every TLS handshake message carries a 4-byte header, three bytes of which declare how long the body will be. Older versions grew the receive buffer to that declared size the moment the header landed, before a single byte of the body showed up, and before the handshake's own checks ran. For an inbound ClientHello the ceiling is 131 KB. Then the worker thread blocks, waiting on a body that never comes. No authentication, no session, no key exchange. The memory does not come back On its own, that is a connection-exhaustion attack, and those are as old as Slowloris. What makes HollowByte stick is glibc. When the attacker drops the connection, OpenSSL frees the buffer, but glibc holds small and medium chunks for reuse rather than returning them to the kernel. The attack varies the claimed size on every connection, and in Okta's tests, that was enough to stop the allocator from reusing what it freed. The heap fragments, resident set size climbs, and it stays climbed long after the attacker has gone. In Okta's NGINX testing, a 1 GB server was OOM-killed with 547 MB of memory frozen in fragments. On a 16 GB server, HollowByte locked up 25% of system memory without ever crossing the connection ceiling, which is why the Red Team says \"standard connection-limiting defenses won't stop it\". Those figures are Okta's own, and it published no exploit code alongside them. The Hacker News found no public proof-of-concept repository on GitHub as of July 18. OpenSSL decided this wasn't a vulnerability The pull request from Matt Caswell, who wrote the patch, puts it plainly: the security team chose to \"handle this as a 'bug or hardening' only fix\". OpenSSL's own security policy defines four severity tiers, Critical down to Low, and \"bug or hardening\" is not among them. Even a Low issue earns a CVE, a changelog note, and an entry on the vulnerabilities page. HollowByte has none of the three. The Hacker News found no mention of the fix in the release notes or in all 23 entries of OpenSSL's 4.0.1 changelog. OpenSSL has not said why. Here is the case for them: 131 KB per connection is small, every TLS server allocates memory per connection, and a bounded allocation is not a vulnerability. Okta's answer is that the memory never comes back. The Hacker News has asked OpenSSL why HollowByte was triaged below Low, and whether the fix reached the extended-support 1.1.1 and 1.0.2 branches. It has also asked Okta whether the fragmentation survives allocators other than glibc. This story will be updated with any response. The project's line is finer than it looks. In January, OpenSSL assigned CVE-2025-66199, rated Low, to a TLS 1.3 certificate-compression bug in which a peer-supplied length grew a heap buffer before validation, worth around 22 MiB per connection. That one needed four things to line up: certificate compression compiled in, a compression algorithm available, the extension negotiated, and, on servers, client certificates requested. HollowByte needs none of them. The same June 9 release assigned CVE-2026-34183, rated Moderate, to unbounded memory growth in the QUIC PATH_CHALLENGE handler. Both are memory-exhaustion DoS. Both got numbers. The release also closed 18 CVEs, including a High-severity use-after-free in PKCS7_verify(), so anyone running one of those upstream builds has the fix without being told. Downstream is worse. Red Hat's documented default is to backport rather than move the version, so a patched package still reports the version it was built from. What normally resolves that is the advisory and the OVAL feed, both keyed to CVE names. There is no CVE here to key on. That leaves the package changelog or the maintainer: ask whether they rebased on the June 9 release or took the patch, which is pull request 30792 for master and 4.0, 30793 for 3.6, 3.5, and 3.4, and 30794 for 3.0. If you build OpenSSL yourself, upgrade to the listed release and restart whatever loaded the old one. The fix covers TLS only. Caswell wrote on the pull request that DTLS was left alone because doing it properly would have been far more invasive, and that the project decided not to bother with it for now. The Hacker News compared OpenSSL's source at the 3.6.2 and 3.6.3 tags and found the DTLS handshake file byte-identical across the fix. In 4.0.1, the newest release, that path still sizes its buffer from the length the peer declares. OpenSSL has not classified that path or committed to fixing it. The release notes, the changelog, and the vulnerabilities page say nothing about it. The pull request does. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Denial-of-Service, linux, network security, Open Source, server security, TLS Security, Vulnerability ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fopenssl-hollowbyte-flaw-could-freeze.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhk66eU1Srifu4Rdpf7MZDjg3GdNMtQK6ZW-F283kxhZ7Z0W_8nWNJynZiQ7n0ov9OLNm315P4942h3-unMI0WZ1-LH8tdQ6sv2o6q0TxKT-bVKewzkQULKKXSJOee_oANuI3YquoDgSPHsPeXEdQcFRoy8czRQimH_f0sNHJ55-5LA153sQgUPkpBBEVE\u002Fs1600\u002Fopenssl.jpg","2026-07-17T20:20:53+00:00","2026-07-17T22:00:14.259672+00:00",9,[18,21,24,27,29],{"name":19,"type":20},"OpenSSL","product",{"name":22,"type":23},"OpenSSL Software Foundation","vendor",{"name":25,"type":26},"glibc","technology",{"name":28,"type":26},"NGINX",{"name":30,"type":31},"Okta Red Team","threat_actor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[],[39,43],{"type":40,"value":41,"context":42},"cve","CVE-2025-66199","Related TLS 1.3 certificate-compression buffer growth issue, rated Low",{"type":40,"value":44,"context":45},"CVE-2026-34183","Related QUIC PATH_CHALLENGE unbounded memory growth, rated Moderate"]