Overview
A newly disclosed vulnerability dubbed HollowByte allows unauthenticated remote attackers to trigger a denial-of-service condition on OpenSSL-based servers with a malicious payload of just 11 bytes. The flaw causes the target server to allocate memory in an unbounded fashion, rapidly exhausting available RAM and rendering the server unresponsive.
The vulnerability was reported by BleepingComputer on July 17, 2026, and underscores how seemingly trivial input can have catastrophic effects when cryptographic library parsing logic fails to impose proper size constraints.
How HollowByte Works
The HollowByte attack exploits a flaw in how OpenSSL parses specific TLS handshake message structures. When a specially crafted 11-byte payload is received during the TLS connection setup phase, the affected parsing routine interprets a field in the packet as an allocation size without adequately validating it against expected bounds.
This causes OpenSSL to:
- Receive the 11-byte malicious packet from an unauthenticated client
- Allocate a disproportionately large memory buffer based on the manipulated field value
- Exhaust available system memory as the process balloons
- Crash or become unresponsive, resulting in a denial of service
The unauthenticated nature of the attack is particularly concerning — no valid TLS session or credentials are required to trigger the condition, meaning any network-accessible OpenSSL server is potentially at risk.
Impact
- Affected software: OpenSSL servers (specific version range to be confirmed in the official CVE)
- Attack type: Denial of Service (memory exhaustion)
- Authentication required: None
- Network access required: Yes (the attacker must be able to reach the target port)
- Complexity: Low — a single 11-byte packet is sufficient to trigger the condition
The potential blast radius is significant. OpenSSL underpins the TLS stack of countless web servers, mail servers, VPN gateways, and embedded systems. A lightweight DoS payload of this nature is trivially weaponizable into automated attack tools.
Remediation
Monitor the OpenSSL Security Advisory page for patch releases addressing this vulnerability. When patches are available:
- Update OpenSSL on all affected systems to the patched version
- Restart services that dynamically load OpenSSL (web servers, mail servers, proxies)
- For containerized environments, rebuild and redeploy images using the patched OpenSSL base
Mitigation While Awaiting Patches
Until official patches are released:
- Rate-limit incoming TLS connections at the load balancer or firewall level to reduce the impact of a flood of malicious packets
- Set connection timeout and memory limits at the application or OS level where supported
- Deploy a WAF or TLS-terminating reverse proxy in front of origin servers — if the proxy itself is patched, it can absorb malicious packets before they reach backend services
- Monitor memory usage on TLS-serving processes; set alerting thresholds to detect anomalous growth
- Block suspicious source IPs at the network edge if automated scanning is detected
Broader Context
HollowByte joins a lineage of high-impact OpenSSL vulnerabilities — most famously Heartbleed (CVE-2014-0160) — that demonstrate how parsing bugs in ubiquitous cryptographic libraries can have outsized consequences across the internet. Unlike Heartbleed's data exfiltration impact, HollowByte is purely a DoS vector, but its weaponizability against the entire TLS-speaking internet makes it a critical concern for operators of any public-facing service.
Security teams should treat this as a priority patching event once official fixes are published and ensure their asset inventory covers all systems with OpenSSL as a dependency.