Find notable cyber news and cases, enriched with sources, timelines, and signals.

OpenSSL servers HollowByte DoS denial-of-service flaw

Vulnerability
First reported
Last updated
Happening score
H score 18
1 unique sources, 1 articles

Summary

Hide ▲

HollowByte is a new OpenSSL DoS flaw that lets unauthenticated attackers exhaust memory on affected servers with an 11-byte payload. The bug affects server-side TLS handshake handling, where OpenSSL trusts a declared message size before validating the incoming body. OpenSSL has fixed and backported the issue to 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and operators are being urged to upgrade immediately.

Timeline

  1. 17.07.2026 20:56 2 articles · 1h ago

    Okta describes HollowByte DoS flaw in OpenSSL servers

    Technical Analysis Update

    Okta’s Red Team described HollowByte, an unauthenticated DoS flaw in OpenSSL servers that can be triggered with a malicious 11-byte TLS payload. The flaw abuses handshake-length handling so vulnerable OpenSSL versions allocate the declared length before validating the payload size, which can force memory growth and heap bloat across repeated connections. OpenSSL silently fixed the issue and backported the patch to older releases, including OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.

    Show sources