Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
OpenSSL Vulnerability Causes Memory Freeze with Minimal Data

OpenSSL Vulnerability Causes Memory Freeze with Minimal Data

Posted on July 17, 2026 By CWS

Recent findings have highlighted a significant vulnerability in OpenSSL that can cause server memory to be exhausted with minimal data input. The issue, dubbed HollowByte, allows an unpatched OpenSSL server to allocate up to 131 KB of memory with just an 11-byte TLS request. This memory remains occupied until the server process is restarted.

Understanding the HollowByte Flaw

The HollowByte issue was disclosed by Okta’s Red Team, who discovered the denial-of-service (DoS) vulnerability and shared the details publicly. The flaw was quietly fixed by OpenSSL in a June update without an advisory, CVE, or changelog entry to indicate the correction. The affected versions include OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, with previous versions susceptible to the flaw.

The vulnerability arises from OpenSSL trusting the size declared in the header of a TLS handshake message. This trust leads the server to expand its receive buffer to the specified size before receiving the actual message body, resulting in memory allocation based on a potentially false header declaration.

Implications of the Vulnerability

The impact of HollowByte is particularly severe on systems using glibc, as this library retains small and medium memory chunks for reuse rather than returning them to the system. This retention can prevent memory from being reused effectively, leading to fragmentation and increased memory usage over time. In tests conducted by Okta, a 1 GB server was overwhelmed with 547 MB of fragmented memory, while a 16 GB server saw 25% of its memory locked without breaching the connection limit.

Despite these significant implications, OpenSSL has not classified HollowByte as a vulnerability. The security team opted to treat it solely as a bug or hardening issue, which does not require a CVE or formal advisories according to their policy. This decision means that many users might remain unaware of the fix unless they actively check for the specific updates.

Response and Future Outlook

The lack of an official vulnerability classification and associated advisories has led to questions about OpenSSL’s handling of the issue. While Okta has raised concerns about the persistent memory usage, OpenSSL maintains that the memory allocation per connection is typical and not inherently a vulnerability. However, the absence of public exploit codes or widespread proof-of-concept demonstrations keeps the potential risk contained for now.

As the security community awaits further clarification from OpenSSL and possible updates from Okta regarding other allocator behaviors, users are advised to update their OpenSSL installations to the fixed versions. This proactive approach can help mitigate potential risks associated with the HollowByte flaw. Moving forward, the emphasis will be on monitoring how OpenSSL addresses similar issues, especially in its extended-support branches, to ensure robust security measures are in place.

The Hacker News Tags:Bug Fix, denial of service, glibc, HollowByte, memory exhaustion, memory freeze, Okta, OpenSSL, OpenSSL update, security flaw, security patch, server memory, server vulnerability, TLS, TLS Handshake

Post navigation

Previous Post: EY Faces Data Breach: IT System Compromised
Next Post: OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat

Related Posts

Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls The Hacker News
New China-Linked Hacker Group Hits Governments With Stealth Malware New China-Linked Hacker Group Hits Governments With Stealth Malware The Hacker News
Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics The Hacker News
Microsoft August 2025 Patch Tuesday Fixes Kerberos Zero-Day Among 111 Total New Flaws Microsoft August 2025 Patch Tuesday Fixes Kerberos Zero-Day Among 111 Total New Flaws The Hacker News
Oracle E-Business Suite Flaw Exploited Vulnerability Oracle E-Business Suite Flaw Exploited Vulnerability The Hacker News
CISA Flags VMware Vulnerability Amid Active Exploits CISA Flags VMware Vulnerability Amid Active Exploits The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised
  • Malicious Vite npm Packages Exploit Blockchain for Cyberattack
  • Ransomware Disrupts Fairlife Production in U.S.

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised
  • Malicious Vite npm Packages Exploit Blockchain for Cyberattack
  • Ransomware Disrupts Fairlife Production in U.S.

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark