Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Exposing the HollowByte Flaw: A Critical OpenSSL Vulnerability


The OpenSSL HollowByte flaw is a critical denial-of-service vulnerability that can freeze server memory allocation by up to 25% due to glibc's handling of allocated but not returned chunks. With no special conditions needed to be met, this bug has significant implications for organizations relying on secure communication protocols.

  • The HollowByte flaw is a denial-of-service (DoS) vulnerability in OpenSSL that can cause servers to freeze their memory allocation, exhausting available resources.
  • The vulnerability arises from glibc systems handling small and medium-sized chunks of memory without returning them to the kernel.
  • Experiments on NGINX testing platforms showed that even low-memory servers could be locked up by consuming significant amounts of memory.
  • The HollowByte vulnerability does not require special conditions to be met, making it a potentially severe threat.
  • Security teams must ensure their systems are updated with the latest OpenSSL patches to mitigate this vulnerability.



  • The security landscape has recently been shaken by the revelation of a critical vulnerability in the widely used OpenSSL library, specifically known as the HollowByte flaw. This bug, which was discovered and disclosed by Okta's Red Team, has significant implications for server administrators and organizations that rely on secure communication protocols.

    According to the details provided by Okta, the HollowByte flaw is a denial-of-service (DoS) vulnerability that arises from the way OpenSSL handles TLS (Transport Layer Security) handshake messages. The issue manifests when an attacker sends an HTTP request with a 4-byte header declaring the size of the message body in bytes. In response, the server allocates memory based on this declared size, which can lead to a situation where the server freezes its memory allocation, effectively exhausting the available system resources.

    The impact of HollowByte becomes particularly severe when considered alongside the fact that older versions of OpenSSL grow the receive buffer to the declared size before any data is received. This results in a significant allocation of memory without actually processing any data, causing the process to block and wait indefinitely for the body of the message. The server will continue to allocate more and more memory until it exhausts all available resources.

    The vulnerability arises from glibc systems handling small and medium-sized chunks of memory that are allocated but not returned to the kernel. When an attacker sends a request with a varied claimed size, this can prevent the allocator from reusing what is freed, resulting in persistent memory fragmentation.

    Okta conducted experiments on their NGINX testing platforms using a 1 GB server, which resulted in OOM (Out Of Memory) killing after consuming 547 MB of memory. Similarly, a 16 GB server was found to be locked up with only 25% system memory, highlighting the potential severity of this flaw.

    The HollowByte vulnerability does not seem to have been identified as such by OpenSSL's own security team. The project has stated that a bounded allocation is not considered a vulnerability due to its relatively small size (131 KB per connection), which is a threshold for classification under their defined four-severity tier system. However, Okta and other researchers argue that the impact of this flaw lies in how it can be exploited by attackers.

    The critical aspect here is that HollowByte requires no special conditions to be met, unlike some previously disclosed vulnerabilities. This means that no certificate compression algorithm needs to be compiled in; no specific server configuration must be present; nor does client authentication or session management need to occur before the connection. The vulnerability can be triggered with a basic request that adheres to the rules specified by the TLS protocol.

    OpenSSL's response to this issue is somewhat confusing, as it has assigned the vulnerability a 'bug or hardening' status rather than a traditional security vulnerability. However, this does not preclude its classification and treatment as such in certain contexts.

    The fact that Red Hat takes a different approach to handling this patch, opting for backward compatibility by default and leaving users to rely on package changelogs and maintainers to identify the updates, further highlights the complexity of dealing with complex vulnerabilities like HollowByte.

    Despite its relatively small size when compared to other identified vulnerabilities, the potential impact of HollowByte as a DoS vulnerability cannot be underestimated. Its ability to freeze server memory allocation has significant implications for organizations that rely on secure communication protocols, such as HTTPS, and highlight the need for careful monitoring and patch management procedures.

    In light of this discovery, security teams must take note and ensure their systems are updated with the latest OpenSSL patches. The recent release of versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 includes the fix for HollowByte, but users should exercise caution in applying these patches to avoid any unintended side effects.

    In conclusion, the HollowByte vulnerability serves as a stark reminder of the ever-evolving nature of security threats and the need for vigilance in monitoring and addressing emerging vulnerabilities.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Exposing-the-HollowByte-Flaw-A-Critical-OpenSSL-Vulnerability-ehn.shtml

  • https://thehackernews.com/2026/07/openssl-hollowbyte-flaw-could-freeze.html


  • Published: Fri Jul 17 16:37:55 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us