OpenSSL HollowByte Flaw Exploits 11-Byte TLS Requests to Cause Memory Exhaustion
A newly discovered OpenSSL vulnerability, named HollowByte, allows attackers to trigger memory exhaustion on servers using 11-byte TLS requests, leading to denial-of-service conditions and persistent memory fragmentation. The flaw, which lacks a CVE identifier and official advisory, exploits improper memory allocation during TLS handshakes and remains unpatched in some downstream distributions.
Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts.
OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the
*** END OF TRANSMISSION ***