OpenSSL HollowByte patch release
Security Patch ReleaseFirst reported
Last updated
Happening score
H score
30
Summary
Hide ▲
Show ▼
The OpenSSL team silently fixed HollowByte, a no-CVE DoS flaw in OpenSSL servers, and backported the patch to older releases. The fix lands in OpenSSL 4.0.1 and was also backported to 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Organizations running OpenSSL-backed services should move to a fixed release because the bug can be triggered with a tiny 11-byte payload.
Timeline
-
17.07.2026 20:56 2 articles · 1h ago
OpenSSL silently fixes HollowByte and backports the patch to older releases
Mitigation Patch UpdateOkta’s Red Team described HollowByte, an unauthenticated DoS flaw in OpenSSL servers that can be triggered with an 11-byte TLS payload and can drive memory exhaustion and heap bloat; the OpenSSL team silently fixed the issue and backported the patch to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.
Show sources
- HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload — www.bleepingcomputer.com — 17.07.2026 20:56
- HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload — www.bleepingcomputer.com — 17.07.2026 20:56