Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload

0
Low
Vulnerabilitydos
Published: 07/17/2026 (07/17/2026, 17:56:21 UTC)
Source: Bleeping Computer

Description

The HollowByte vulnerability in OpenSSL allows unauthenticated attackers to cause a denial-of-service (DoS) by sending a crafted 11-byte payload that triggers excessive memory allocation during the TLS handshake. This flaw causes the server to allocate memory based on a declared message size before receiving the full payload, leading to heap fragmentation and memory bloat that persists until the process is restarted. The issue has been fixed in OpenSSL 4.0.1 and backported to several earlier versions.

Affected software

Affected versions
>=3.0.0 <3.0.21>=3.4.0 <3.4.6>=3.5.0 <3.5.7>=3.6.0 <3.6.3<4.0.1

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 08:54:52 UTC

Technical Analysis

HollowByte is a denial-of-service vulnerability affecting OpenSSL servers, where an attacker sends a minimal 11-byte TLS handshake message with a header claiming a much larger payload size. Vulnerable OpenSSL versions allocate memory according to the claimed size before receiving the actual data, causing the server to block waiting for data that never arrives and to allocate excessive memory. The GNU C Library's memory allocator behavior exacerbates the issue by retaining freed memory chunks, leading to heap fragmentation and persistent memory bloat. The vulnerability was silently fixed by the OpenSSL team in version 4.0.1 and backported to versions 3.6.3, 3.5.7, 3.4.6, and 3.0.21, where the buffer is only grown upon actual data arrival, ignoring the header's claimed size.

Potential Impact

This vulnerability enables unauthenticated attackers to cause a denial-of-service condition by exhausting server memory resources through repeated connections with small malicious payloads. It can degrade server performance and availability, especially in low-capacity environments, and cause up to 25% memory loss on higher-spec servers without triggering bandwidth-based alerts. The memory bloat persists even after attackers disconnect, requiring a server process restart to fully reclaim memory. While it does not allow data theft or code execution, it can disrupt operations and damage reputation.

Mitigation Recommendations

A fix is available. The OpenSSL team has released version 4.0.1 containing a fix for this issue and backported the patch to versions 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Organizations should prioritize upgrading to these fixed versions immediately to mitigate the risk. No other mitigation is indicated by the vendor advisory.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Threat ID: 6a5b3f4f34329bf928c60d2d

Added to database: 07/18/2026, 08:54:39 UTC

Last enriched: 07/18/2026, 08:54:52 UTC

Last updated: 07/18/2026, 09:00:08 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses