HollowByte Vulnerability in OpenSSL Allows DoS with 11-Byte Payload

HollowByte Vulnerability in OpenSSL Allows DoS with 11-Byte Payload

First seen 17 Jul 2026, 21:52 UTC BleepingcomputerCybersecuritynewssec.okta.comFeeds.4Sysops 78% similarity 57.8

Article Content

Browse articles
ThreatCluster

The HollowByte vulnerability in OpenSSL enables unauthenticated attackers to trigger a denial-of-service (DoS) condition using a malicious payload of just 11 bytes. Discovered by Okta's Red Team, this flaw exploits how OpenSSL handles memory allocation during the TLS handshake. Vulnerable versions allocate memory based on the declared size in the handshake header before validating the actual data. This can lead to significant memory exhaustion, as the server may reserve large memory chunks for unfulfilled connections. The issue affects widely used software that relies on OpenSSL, including web servers like NGINX and Apache, as well as various language runtimes and databases. The OpenSSL team has released a fix, silently included in version 4.0.1 and backported to older versions. Organizations are advised to update to the patched versions to mitigate the risk. Although DoS vulnerabilities are typically less severe than those allowing data theft, they can still cause operational disruptions.

Key Points: • HollowByte allows DoS attacks on OpenSSL servers with an 11-byte payload. • The vulnerability affects multiple software projects, including NGINX and Apache. • OpenSSL has released a fix, and organizations should prioritize updating their systems.

ThreatCluster AI

Timeline

2026-07-17
HollowByte vulnerability disclosed
Okta's Red Team revealed the HollowByte DoS flaw in OpenSSL, allowing memory exhaustion with an 11-byte payload.
Bleepingcomputer
2026-07-17
OpenSSL patch released
The OpenSSL team released a fix for the HollowByte vulnerability, included in version 4.0.1 and backported to older versions.
sec.okta.com

Community

Browse all →