OpenSSL HollowByte Vulnerability Disclosed, Posing Denial-of-Service Risk
- CVE ID
- N/A
- CVSS Score
- N/A
- Affected Products
- OpenSSL versions before 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21
Overview
Okta’s Red Team has publicly disclosed details of a denial-of-service (DoS) vulnerability, dubbed “HollowByte,” affecting OpenSSL. While OpenSSL quietly addressed this flaw in June 2026 with unannounced patches, the full technical details were made public by Okta on July 17, 2026. The vulnerability, which did not receive a CVE identifier at the time of its initial fix and lacked an accompanying advisory or changelog entry, allows an attacker to cause significant memory exhaustion on vulnerable servers with a minimal amount of traffic.
Technical Details
The HollowByte vulnerability arises from how OpenSSL handles certain TLS (Transport Layer Security) requests. An attacker can send a specially crafted, small (11-byte) TLS request that, when processed by an unpatched OpenSSL server, causes the server to set aside a disproportionately large amount of memory—up to 131 KB—for a message that never fully arrives. On systems utilizing glibc, as tested by Okta, this memory is not released until the affected process is restarted. This leads to a gradual but persistent memory leak, eventually resulting in memory exhaustion and a denial-of-service condition for the affected server.
Real-World Impact
The real-world impact of the HollowByte vulnerability is primarily service disruption. Exploitation can render OpenSSL-dependent services unresponsive or unstable, leading to outages for websites, applications, and any other systems relying on vulnerable OpenSSL versions for secure communication. For critical services, even a temporary denial of service can have significant financial and operational consequences. While this vulnerability does not directly lead to data theft or arbitrary code execution, its ability to reliably take down services makes it a serious threat, especially given the widespread use of OpenSSL across internet infrastructure.
Threat Landscape
Denial-of-service vulnerabilities in fundamental cryptographic libraries like OpenSSL represent a significant concern for the stability and availability of internet services. Although the fix for HollowByte was released in June, the lack of a public CVE or explicit advisory meant many administrators might have been unaware of the severity and thus delayed patching. This scenario highlights a broader challenge in vulnerability management, where critical fixes can go unnoticed without clear communication, leaving a large attack surface open to potential exploitation once details become public.
Remediation
Organizations should immediately verify that their systems are running patched versions of OpenSSL. The vulnerability has been addressed in OpenSSL versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21. It is crucial to ensure that any OpenSSL instances are updated to these or newer versions. Given that the details were only recently publicized, even systems that are typically kept up-to-date might have missed the unannounced patch. Administrators should also monitor system memory usage on OpenSSL-dependent services for any signs of unexplained exhaustion, which could indicate a successful DoS attempt.
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call