Close Menu
    What's Hot

    7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban

    Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield

    Reformation IPO bets fast fashion can keep up with Big Fashion

    Facebook X (Twitter) Instagram
    Trending
    • 7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban
    • Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield
    • Reformation IPO bets fast fashion can keep up with Big Fashion
    • F.N.B. Corporation (FNB) Q2 2026 Earnings Call Transcript
    • OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
    • The viral watermelon ice cream hack looks like magic. Does it actually work?
    • Trump’s Election Claims and SAVE Act Push Find Muted Response From G.O.P. Lawmakers
    • Trump Pursues a Deeper Bond With China’s Leader, Despite Hostile Speech
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    adminBy adminJuly 18, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
    Share
    Facebook Twitter LinkedIn Pinterest Email

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts.

    OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta’s Red Team, which reported the denial-of-service bug and named it, published the details on Thursday.

    The fixed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, all dated June 9. Every release on those branches before the fixed ones has it. Nothing in a normal patch pipeline will point you at them: there is no identifier for a scanner to match and no advisory to read.

    The flaw is that OpenSSL took the attacker’s word for it. Every TLS handshake message carries a 4-byte header, three bytes of which declare how long the body will be. Older versions grew the receive buffer to that declared size the moment the header landed, before a single byte of the body showed up, and before the handshake’s own checks ran.

    For an inbound ClientHello the ceiling is 131 KB. Then the worker thread blocks, waiting on a body that never comes. No authentication, no session, no key exchange.

    The memory does not come back

    On its own, that is a connection-exhaustion attack, and those are as old as Slowloris. What makes HollowByte stick is glibc. When the attacker drops the connection, OpenSSL frees the buffer, but glibc holds small and medium chunks for reuse rather than returning them to the kernel.

    The attack varies the claimed size on every connection, and in Okta’s tests, that was enough to stop the allocator from reusing what it freed. The heap fragments, resident set size climbs, and it stays climbed long after the attacker has gone.

    Cybersecurity

    In Okta’s NGINX testing, a 1 GB server was OOM-killed with 547 MB of memory frozen in fragments. On a 16 GB server, HollowByte locked up 25% of system memory without ever crossing the connection ceiling, which is why the Red Team says “standard connection-limiting defenses won’t stop it”.

    Those figures are Okta’s own, and it published no exploit code alongside them. The Hacker News found no public proof-of-concept repository on GitHub as of July 18.

    OpenSSL decided this wasn’t a vulnerability

    The pull request from Matt Caswell, who wrote the patch, puts it plainly: the security team chose to “handle this as a ‘bug or hardening’ only fix”. OpenSSL’s own security policy defines four severity tiers, Critical down to Low, and “bug or hardening” is not among them.

    Even a Low issue earns a CVE, a changelog note, and an entry on the vulnerabilities page. HollowByte has none of the three. The Hacker News found no mention of the fix in the release notes or in all 23 entries of OpenSSL’s 4.0.1 changelog.

    OpenSSL has not said why. Here is the case for them: 131 KB per connection is small, every TLS server allocates memory per connection, and a bounded allocation is not a vulnerability. Okta’s answer is that the memory never comes back.

    The Hacker News has asked OpenSSL why HollowByte was triaged below Low, and whether the fix reached the extended-support 1.1.1 and 1.0.2 branches. It has also asked Okta whether the fragmentation survives allocators other than glibc. This story will be updated with any response.

    The project’s line is finer than it looks. In January, OpenSSL assigned CVE-2025-66199, rated Low, to a TLS 1.3 certificate-compression bug in which a peer-supplied length grew a heap buffer before validation, worth around 22 MiB per connection.

    That one needed four things to line up: certificate compression compiled in, a compression algorithm available, the extension negotiated, and, on servers, client certificates requested. HollowByte needs none of them.

    The same June 9 release assigned CVE-2026-34183, rated Moderate, to unbounded memory growth in the QUIC PATH_CHALLENGE handler. Both are memory-exhaustion DoS. Both got numbers.

    Cybersecurity

    The release also closed 18 CVEs, including a High-severity use-after-free in PKCS7_verify(), so anyone running one of those upstream builds has the fix without being told.

    Downstream is worse. Red Hat’s documented default is to backport rather than move the version, so a patched package still reports the version it was built from. What normally resolves that is the advisory and the OVAL feed, both keyed to CVE names. There is no CVE here to key on.

    That leaves the package changelog or the maintainer: ask whether they rebased on the June 9 release or took the patch, which is pull request 30792 for master and 4.0, 30793 for 3.6, 3.5, and 3.4, and 30794 for 3.0.

    If you build OpenSSL yourself, upgrade to the listed release and restart whatever loaded the old one.

    The fix covers TLS only. Caswell wrote on the pull request that DTLS was left alone because doing it properly would have been far more invasive, and that the project decided not to bother with it for now. The Hacker News compared OpenSSL’s source at the 3.6.2 and 3.6.3 tags and found the DTLS handshake file byte-identical across the fix. In 4.0.1, the newest release, that path still sizes its buffer from the length the peer declares.

    OpenSSL has not classified that path or committed to fixing it. The release notes, the changelog, and the vulnerabilities page say nothing about it. The pull request does.

    11Byte flaw Freeze HollowByte Memory OpenSSL requests Server TLS
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleThe viral watermelon ice cream hack looks like magic. Does it actually work?
    Next Article F.N.B. Corporation (FNB) Q2 2026 Earnings Call Transcript
    admin
    • Website

    Related Posts

    New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

    July 17, 2026

    Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

    July 17, 2026

    New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

    July 17, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    7 Americans Sent to Disputed Kenya Ebola Site After New Trump Travel Ban

    Applications close in 48 hours — here’s everything Australian founders need to know about Stripe x Startup Battlefield

    Reformation IPO bets fast fashion can keep up with Big Fashion

    F.N.B. Corporation (FNB) Q2 2026 Earnings Call Transcript

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by