OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
A newly discovered vulnerability in OpenSSL, known as HollowByte, could freeze server memory with 11-byte TLS requests. The flaw allows an attacker to exhaust server memory by claiming a large buffer size, which is not validated by OpenSSL. This could lead to a denial-of-…
Intelligence analysis by Llama

A vulnerability in OpenSSL, known as HollowByte, could freeze server memory with 11-byte TLS requests. The flaw allows an attacker to exhaust server memory by claiming a large buffer size, which is not validated by OpenSSL. This could lead to a denial-of-service attack.
Imagine you're sending a message to a friend, but you're claiming it's a really long message. The friend's computer thinks it's a long message and sets aside a lot of memory to store it. But the message never actually arrives, and the computer is left with a lot of unused memory. This is what's happening with the HollowByte vulnerability in OpenSSL. An attacker is claiming that a message is really long, and the computer is setting aside a lot of memory to store it. But the message never actually arrives, and the computer is left with a lot of unused memory. This can cause the computer to run out of memory and become unresponsive.
Analysis
A Critical Flaw in OpenSSL's TLS Implementation
The HollowByte vulnerability is a critical flaw in OpenSSL's TLS implementation that could allow an attacker to freeze server memory with 11-byte TLS requests. The flaw is that OpenSSL takes the attacker's word for it when it comes to the size of the buffer, which is not validated by the library. This means that an attacker could claim a large buffer size, which would not be checked by OpenSSL, and then exhaust the server's memory by sending a large number of requests.
The Impact of the Flaw
The impact of the HollowByte flaw is significant because it could allow an attacker to freeze server memory, leading to a denial-of-service attack. This could have serious consequences for organizations that rely on OpenSSL for secure communication. In fact, Okta's Red Team, which reported the denial-of-service bug and named it, published the details on Thursday, stating that the fixed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, all dated June 9.
The Fix and Its Limitations
The fix for the HollowByte flaw is included in the OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 releases, all dated June 9. However, the fix does not cover DTLS, which is a separate protocol that is also used for secure communication. The project's line is finer than it looks, and in January, OpenSSL assigned CVE-2025-66199, rated Low, to a TLS 1.3 certificate-compression bug in which a peer-supplied length grew a heap buffer before validation, worth around 22 MiB per connection. That one needed four things to line up: certificate compression compiled in, a compression algorithm available, the extension negotiated, and, on servers, client certificates requested. HollowByte needs none of them.
Conclusion
In conclusion, the HollowByte vulnerability is a critical flaw in OpenSSL's TLS implementation that could allow an attacker to freeze server memory with 11-byte TLS requests. The fix for the flaw is included in the OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 releases, all dated June 9. However, the fix does not cover DTLS, and the project's line is finer than it looks.
Key points
- The HollowByte vulnerability is a critical flaw in OpenSSL's TLS implementation that could allow an attacker to freeze server memory with 11-byte TLS requests.
- The fix for the HollowByte flaw is included in the OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 releases, all dated June 9.
- The fix does not cover DTLS, which is a separate protocol that is also used for secure communication.
- The vulnerability could allow an attacker to freeze server memory, leading to a denial-of-service attack.
- The fix is a positive development for the security of OpenSSL, but it highlights the importance of regular updates and patches to ensure the security of critical infrastructure.
The discovery of the HollowByte vulnerability and the subsequent release of the fix is a positive development for the security of OpenSSL. It highlights the importance of regular updates and patches to ensure the security of critical infrastructure. Additionally, the fact that the fix was released quickly and widely available is a testament to the efforts of the OpenSSL team and the security community.
The HollowByte vulnerability highlights the potential risks of relying on outdated or unpatched software. If left unaddressed, the vulnerability could lead to a denial-of-service attack, which could have serious consequences for organizations that rely on OpenSSL for secure communication. Furthermore, the fact that the fix does not cover DTLS is a concern, as it means that the vulnerability could still be exploited in certain situations.
Market signals
- XAU Escalation drives safe-haven demand for gold, per the article's framing of investor reaction.
AI-generated analysis of potential market relevance. Not financial advice.



