A newly discovered vulnerability in OpenSSL, referred to as HollowByte, could allow an attacker to cause a server to allocate significant amounts of memory for TLS requests that do not complete. This flaw affects unpatched OpenSSL servers, which may reserve up to 131 KB of memory for a message that never arrives.
Details of the Vulnerability
The vulnerability was reported by Okta’s Red Team and is characterized by its ability to lead to a denial-of-service condition. When an attacker sends a TLS handshake message, the server allocates memory based on a header that indicates the size of the incoming message. However, in older versions of OpenSSL, this allocation occurs before the body of the message is received, leading to potential memory exhaustion.
Affected Versions and Fixes
The flaw exists in all versions prior to the fixed releases, which include OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, all released on June 9, 2026. Importantly, there is no CVE identifier associated with this vulnerability, nor is there an advisory or changelog entry that highlights it, which complicates the patching process for users.
Impact and Mitigation
Okta’s testing demonstrated that a single connection could lead to significant memory fragmentation, with a 1 GB server experiencing an out-of-memory (OOM) condition due to 547 MB of memory being locked up. On a 16 GB server, the vulnerability could consume 25% of system memory without exceeding the connection limits. This indicates that standard connection-limiting defenses may not be effective against this attack.
OpenSSL’s Response
Despite the potential impact, OpenSSL has classified the HollowByte issue as a ‘bug or hardening’ fix rather than a vulnerability, which is why it has not been assigned a CVE or included in their vulnerability listings. The decision has raised questions about the severity of the issue, especially given that similar memory exhaustion issues in other contexts have received formal CVE designations.
As of now, OpenSSL has not provided further clarification on why this flaw was not treated with higher urgency, nor has it indicated whether the fix will extend to earlier versions such as 1.1.1 and 1.0.2. Users are advised to upgrade to the patched versions and restart any processes using the old versions to mitigate the risk associated with this vulnerability.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








