Find notable cyber news and cases, enriched with sources, timelines, and signals.

OpenSSL HollowByte patch release

Security Patch Release
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The OpenSSL team silently fixed HollowByte, a no-CVE DoS flaw in OpenSSL servers, and backported the patch to older releases. The fix lands in OpenSSL 4.0.1 and was also backported to 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Organizations running OpenSSL-backed services should move to a fixed release because the bug can be triggered with a tiny 11-byte payload.

Timeline

  1. 17.07.2026 20:56 2 articles · 1h ago

    OpenSSL silently fixes HollowByte and backports the patch to older releases

    Mitigation Patch Update

    Okta’s Red Team described HollowByte, an unauthenticated DoS flaw in OpenSSL servers that can be triggered with an 11-byte TLS payload and can drive memory exhaustion and heap bloat; the OpenSSL team silently fixed the issue and backported the patch to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.

    Show sources