This 11-Byte TLS Request Can Lock OpenSSL Servers in a Memory Freeze

ยท
Listen to this article~3 min
This 11-Byte TLS Request Can Lock OpenSSL Servers in a Memory Freeze

A tiny 11-byte TLS request can lock up 131 KB of memory on unpatched OpenSSL servers running glibc, causing a memory leak until the process restarts. Okta's Red Team discovered the HollowByte flaw, but OpenSSL fixed it quietly without a CVE or advisory.

Imagine sending a tiny 11-byte message and causing a server to lock up 131 KB of memory that never gets freed. That's exactly what the HollowByte flaw does to unpatched OpenSSL systems. On glibc-based setups tested by Okta, that memory stays reserved until you restart the entire process. It's a quiet but nasty denial-of-service trick that can silently degrade performance over time. OpenSSL quietly shipped the fix for HollowByte back in June, but here's the kicker: no CVE was assigned, no advisory was published, and the changelog didn't even mention it. Okta's Red Team discovered the bug, named it HollowByte, and reported it responsibly. But the lack of public disclosure means many servers might still be vulnerable right now. ### How HollowByte Works The vulnerability lives in how OpenSSL handles certain TLS handshake messages. A malicious client sends a specially crafted 11-byte request that tricks the server into allocating up to 131 KB of memory for a response that never comes. On systems using glibc, that memory is effectively lost until the process restarts. Over time, repeated attacks can exhaust available memory and crash the server. - Attack size: Just 11 bytes of TLS data - Memory wasted per attack: Up to 131 KB - Impact: Memory leak until process restart - Affected systems: OpenSSL servers on glibc ### Why This Matters for Security Teams This isn't your typical flashy vulnerability with a public CVE and a big press release. It's the kind of bug that flies under the radar. Security teams relying on OpenSSL might not even know their systems are at risk. The fix is already in the codebase, but without proper documentation, many administrators won't know to apply it. Here's what you should do: - Update OpenSSL to the latest version immediately - Check your changelogs for the HollowByte fix - Monitor memory usage for unexplained leaks - Consider rate-limiting TLS connections from untrusted sources ### The Takeaway HollowByte is a reminder that not all security threats come with a warning label. OpenSSL fixed it quietly, but the responsibility to patch falls on you. Don't wait for a CVE to take action. If you're running OpenSSL on glibc, update now. A few bytes can cause a lot of damage when no one's looking. > "The most dangerous vulnerabilities are the ones nobody talks about." - Security adage Stay ahead of the curve. Patch early, patch often.