🟠 High  |  Source: The Hacker News


A flaw in OpenSSL, dubbed HollowByte by Okta’s Red Team, allows an attacker to send an 11-byte TLS request that tricks an unpatched server into reserving up to 131 KB of memory for a message that never arrives. On Linux systems using glibc, that memory is not released until the process restarts, making repeated requests a viable denial-of-service attack. OpenSSL quietly shipped a fix in June 2025 with no CVE, no security advisory, and no changelog reference.

Security Architect’s Take: Audit your OpenSSL versions across all TLS-terminating workloads — load balancers, API gateways, and application servers — and ensure you are running the patched release. Given OpenSSL shipped this silently, cross-reference your build dates and package versions rather than relying on advisory feeds, and consider adding memory exhaustion monitoring as a compensating control.

Original advisory: OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests