Return to Threats

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

thehackernews.com 2026-07-18 AI supply chain High

What Happened

Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the

Why It Matters

The article reports Okta Red Team’s disclosure of HollowByte, a denial-of-service flaw in OpenSSL where a malicious, unauthenticated TLS handshake as small as 11 bytes can cause the server to reserve up to roughly 131 KB of memory per connection and block worker threads, leading to sustained memory loss until the process restarts on glibc systems.[1][2][3][6] OpenSSL quietly fixed this behavior as a “bug or hardening” change in versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, without a CVE or prominent advisory, by only growing buffers when data arrives instead of trusting attacker-controlled length headers.[1][2][3] From a RealGround perspective, this highlights AI supply chain risk: AI systems and agents that rely on OpenSSL for TLS could suffer availability outages or degraded performance if libraries are not tracked and patched promptly, so organizations should maintain SBOMs that include OpenSSL versions for all AI services, enforce rapid patch SLAs, and continuously red-team AI infrastructure for low-bandwidth DoS vectors tied to underlying cryptographic dependencies.[3][4]

Healthcare Fintech SaaS SMB AI startups

RealGround Analysis

This signal maps to AI supply chain. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.

Recommended Actions

  • Restrict AI agent tool permissions and production write paths.
  • Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
  • Add human approval workflows for high-impact or state-changing actions.
  • Run prompt injection and indirect prompt injection tests against affected workflows.
  • Document the owner, control gap, and remediation deadline for this risk class.

Source

https://thehackernews.com/2026/07/openssl-hollowbyte-flaw-could-freeze.html

Talk to AI CISO