OpenSSL servers HollowByte DoS denial-of-service flaw
Vulnerability
Summary
Hide ▲
Show ▼
HollowByte is a new OpenSSL DoS flaw that lets unauthenticated attackers exhaust memory on affected servers with an 11-byte payload. The bug affects server-side TLS handshake handling, where OpenSSL trusts a declared message size before validating the incoming body. OpenSSL has fixed and backported the issue to 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and operators are being urged to upgrade immediately.
Timeline
-
17.07.2026 20:56 2 articles · 1h ago
Okta describes HollowByte DoS flaw in OpenSSL servers
Technical Analysis UpdateOkta’s Red Team described HollowByte, an unauthenticated DoS flaw in OpenSSL servers that can be triggered with a malicious 11-byte TLS payload. The flaw abuses handshake-length handling so vulnerable OpenSSL versions allocate the declared length before validating the payload size, which can force memory growth and heap bloat across repeated connections. OpenSSL silently fixed the issue and backported the patch to older releases, including OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.
Show sources
- HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload — www.bleepingcomputer.com — 17.07.2026 20:56
- HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload — www.bleepingcomputer.com — 17.07.2026 20:56