Okta researchers discovered a denial-of-service vulnerability in OpenSSL that allows attackers to exhaust server memory using minimal network traffic. An 11-byte TLS request triggers unpatched OpenSSL servers to allocate up to 131 KB of memory for a message fragment that never completes arrival. On glibc-based systems, that memory remains locked until the process restarts, making servers vulnerable to resource exhaustion attacks.
OpenSSL released the patch in June without formal acknowledgment. No CVE was assigned, no security advisory issued, and no changelog entry documented the fix. Okta's Red Team identified and named the flaw HollowByte after discovering it during internal testing.
The attack works because OpenSSL allocates memory for incoming TLS records before validating them completely. When an attacker sends a partial message header claiming a large payload size but never sends the actual data, the server reserves that full buffer space indefinitely. Repeated requests from a single attacker or coordinated traffic from multiple sources can rapidly consume available memory, degrading server performance or triggering out-of-memory conditions.
The vulnerability affects OpenSSL versions prior to the June patch. Servers running affected versions on glibc systems face the greatest risk, though other systems may experience similar issues with different memory behavior. High-volume web services, API gateways, and load balancers handling untrusted TLS connections face elevated exposure.
Organizations running unpatched OpenSSL should prioritize updates immediately. The simplicity of the attack vector—requiring only basic network access and minimal bandwidth—makes this particularly exploitable at scale. Defenders should monitor for TLS connection patterns showing numerous dropped or incomplete sessions, as this may indicate active exploitation attempts.
The quiet patching approach, while avoiding premature disclosure, left many operators unaware of the vulnerability's existence. Security teams should verify Open
