OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
Okta disclosed HollowByte, a denial-of-service flaw in OpenSSL that can force unpatched servers to hold up to 131 KB of memory per connection and keep that memory fragmented on glibc systems even after the connection drops. OpenSSL fixed it in June without a CVE or advisory, and the issue affects TLS only while DTLS remains unaddressed. #OpenSSL #HollowByte #Okta

Keypoints

  • HollowByte can make OpenSSL allocate memory for a TLS message that never arrives.
  • Okta reported that glibc systems keep the memory fragmented until the process restarts.
  • The fix landed in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 on June 9.
  • OpenSSL handled the issue as a bug or hardening fix, so no CVE or advisory was issued.
  • The fix covers TLS only, and the DTLS path was left unchanged.

Read More: https://thehackernews.com/2026/07/openssl-hollowbyte-flaw-could-freeze.html