HollowByte: how an 11-byte packet bloats OpenSSL server memory — no CVE, but patched in 4.0.1/3.6.3/3.5.7/3.4.6/3.0.21
OpenSSL has closed a weakness called “HollowByte” — without a CVE number and without a CVSS score, because the project classifies it as a hardening fix rather than a classic security vulnerability. The effect is real nonetheless: vulnerable OpenSSL versions allocate the memory declared in a TLS handshake message header before the actual payload arrives and its size is verified. An attacker sends a mere 11-byte packet whose header announces a much larger message — the server allocates memory for data that never arrives. Across many parallel connections with randomized announced sizes, this specifically defeats glibc's memory reuse and leads to persistent heap fragmentation that outlives the individual connections. Okta's red team demonstrated the effect against NGINX deployments; the weakness is patched in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.
TL;DR — 90 seconds
- Affected?
OpenSSL versions before 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21 (depending on the branch in use) that terminate TLS connections server-side.
- Risk?
No CVE, no CVSS score — classified by OpenSSL as a hardening fix, not a classic vulnerability. Denial of service via memory exhaustion: an 11-byte packet with an inflated length field makes the server reserve memory for data that never arrives; due to glibc allocator behavior, this memory stays bloated even after the connection ends.
- Immediate action?
Update to a patched version (4.0.1 / 3.6.3 / 3.5.7 / 3.4.6 / 3.0.21) and restart the affected worker processes to reclaim already-bloated memory — the patch alone is not sufficient without a restart.
- Recommendation?
Patch promptly on internet-reachable TLS termination points (reverse proxies, load balancers, direct OpenSSL usage) — especially on small, resource-constrained instances, which test reports show are easily depleted.
- Criticality?
medium — no data exposure and no code execution, but a demonstrably effective, low-cost DoS technique against widely deployed TLS infrastructure.
What is the problem?
During a TLS handshake, every message announces in its header how many bytes of payload will follow. Vulnerable OpenSSL versions allocate the memory needed for this already when reading that announcement — not once the data has actually arrived and its size has been verified. An attacker exploits exactly this ordering: a packet of only 11 bytes total is enough to announce a substantially larger message in the header. The server allocates the corresponding memory block and then waits — potentially for a long time — for data that is never sent.
The real amplification effect comes from the interplay with glibc's memory management: glibc does not immediately return small-to-medium allocations to the operating system after they're freed, but keeps them around for potential reuse. An attacker who opens connections across multiple waves, each announcing a differently sized, randomized message length, specifically prevents these memory blocks from being reused — the result is progressive heap fragmentation. This fragmentation outlives the individual connections; the process stays bloated until it is restarted.
OpenSSL treats HollowByte as a hardening measure rather than a vulnerability in the strict sense, presumably because there is no classic memory-safety bug (buffer overflow, use-after-free), but a resource-management issue. The fix changes the allocation behavior: the buffer now grows only as data actually arrives, not based on the header's announcement.
Who is affected?
| Affected | Not affected | Conditions |
|---|---|---|
| OpenSSL before 4.0.1 (4.0 branch) | OpenSSL from the patched versions per branch onward | Server must terminate TLS handshakes itself (not merely pass them through) |
| OpenSSL before 3.6.3, before 3.5.7, before 3.4.6, before 3.0.21 (depending on the branch in use) | Pure TCP passthrough configurations with no TLS termination on the affected system | Attacker must be able to open an arbitrary number of TLS connections to the server |
| Any application using OpenSSL for TLS termination — explicitly demonstrated against NGINX in test reports | No statement in the source regarding BoringSSL, LibreSSL, and other OpenSSL derivatives — not automatically to be treated as “not affected”, should be checked separately | Effect scales with server capacity: small instances are, per test reports, more easily depleted than large ones |
Check your own OpenSSL version quickly with openssl version on the host, or openssl version inside the respective container image.
Impact
HollowByte causes no data exposure and no code execution — the impact is purely availability. Per the reports reviewed, Okta's red-team testing against NGINX showed that resource-constrained environments can easily be driven to exhaustion, while larger servers can lose up to 25% of their memory without crossing typical memory-usage alert thresholds — a pattern that specifically evades classic monitoring thresholds.
Particularly unpleasant operationally: the bloated memory persists even once the attacker has long stopped and all connections are closed — simply dropping connections or rate-limiting new ones does not undo damage that has already occurred. Without a process restart, memory usage stays permanently elevated, which favors recurring failures under load, increased swap usage, or kernel OOM kills.
Mitigation / immediate steps
Operational decision block
- Act now if … you run internet-reachable, resource-constrained TLS termination points (small VMs, edge instances, ingress controllers with tight memory limits) on unpatched OpenSSL.
- Check with priority if … you run larger servers/clusters that terminate TLS — the effect is slower here but, per test reports, can cause up to 25% memory loss without triggering alerts.
- Next regular window if … your systems don't terminate TLS themselves (pure TCP passthrough) or are already on a patched version.
Step 1 — check version and update
# check installed version
openssl version
# target versions (patched):
# OpenSSL 4.0.1 / 3.6.3 / 3.5.7 / 3.4.6 / 3.0.21 (branch-dependent)
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade openssl libssl3
# RHEL/Alma/Rocky
sudo dnf update openssl
# for source/custom builds: rebuild and roll out against the official
# OpenSSL tag of the respective patched version
Step 2 — restart affected processes
# the patch alone is not enough: already-bloated memory is only
# released by restarting the process
sudo systemctl restart nginx
# or the respective TLS-terminating service (haproxy, envoy, your own server)
# compare memory footprint before/after the restart
ps -o rss,cmd -C nginx
Step 3 — defense-in-depth, independent of the patch
# set tight handshake timeouts (example nginx):
# ssl_handshake_timeout 10s;
# limit maximum concurrent connections per worker
# and throttle connection rates per source IP (e.g. via fail2ban,
# nginx limit_conn/limit_req, or an upstream L4 load balancer)Detection / verification
Check version
openssl version
# or per container image:
docker run --rm <image></image> openssl version
Observe memory behavior
No specific indicators of compromise for HollowByte itself were published in the sources we reviewed — the steps below are general observation points derived from the mechanism described:
# watch RSS memory usage of the TLS-terminating process over time,
# independent of the number of currently active connections —
# growth without a corresponding rise in active sessions is the core indicator
watch -n 5 'ps -o rss,cmd -C nginx'
# check for unusually many short-lived TLS connections that
# terminate early during the handshake (access/error logs, connection tracking)
ss -tn state syn-recv
# check memory usage after connections have fully torn down —
# if memory stays high despite no active connections remaining,
# that's a strong signal that fragmentation has already occurredOperator guidance
Mid-market
Patch in the next regular maintenance window and restart the affected services — no CVE, no emergency rollout needed, but no reason to sit on it either, since the technique demonstrably works.
Enterprise / multi-site
Inventory all TLS-terminating components (reverse proxies, load balancers, ingress controllers, your own OpenSSL integrations) and centrally track their OpenSSL version. Extend memory monitoring with an “RSS without active sessions” metric to catch similar patterns earlier in the future.
Hosting / platform operators with many small instances
Urgency is highest here: small, resource-constrained instances are, per test reports, the easiest to exhaust. Prioritize the patch rollout and add handshake timeouts and connection limits as extra protection before the patch is fully rolled out.
Decision block
Act promptly if: small, internet-reachable TLS termination points are running unpatched OpenSSL. A regular window is enough if: already patched, or OpenSSL isn't used for your own TLS termination.
Frequently asked questions about HollowByte
How does the real risk differ between small and large deployments?+
Quite significantly, per the test reports we reviewed: small, resource-constrained instances can easily be driven to exhaustion, while larger servers can lose up to 25% of their memory without crossing typical alert thresholds — there, the risk looks more like creeping degradation than an acute outage, but it isn't negligible.
Can you protect yourself without patching, e.g. via a WAF or rate-limiting?+
Partially: tight handshake timeouts and connection/rate limits per source IP reduce the attack surface and slow down exhaustion, but don't eliminate the underlying weakness. These measures are worthwhile as defense-in-depth but don't replace updating to a patched OpenSSL version.
How does HollowByte differ from a classic SYN flood?+
A SYN flood creates many half-open TCP connections and exhausts connection/socket resources at the network layer. HollowByte operates one layer up, inside the TLS handshake, and specifically exhausts application memory via the allocation ordering — with the difference that, due to glibc's memory reuse, the effect persists even after connections end, whereas SYN-flood exhaustion typically ends when connections are torn down.
Does this also affect derivative libraries like BoringSSL or LibreSSL?+
The source we reviewed makes no statement on this. Since these forks maintain their own codebases with partly divergent handshake implementations, affectedness should be checked separately rather than assumed either way.
Is a restart enough without updating?+
No. A restart does release already-bloated memory, but leaves the underlying weakness unchanged — the next attack bloats memory again. Only updating to a patched version changes the allocation behavior itself.
Why isn't there a CVE for HollowByte?+
OpenSSL classifies the weakness as a hardening fix rather than a classic vulnerability — there's no memory-safety bug in the strict sense (no buffer overflow, no use-after-free), but a resource-management issue in the allocation ordering. That doesn't change the practical effectiveness of the technique, but it does lower formal prioritization in many vulnerability-management processes that rely heavily on CVE/CVSS as a trigger.
Conclusion
HollowByte shows that not every relevant security improvement carries a CVE and a CVSS score — OpenSSL deliberately classifies this weakness as a hardening fix, since it's not a classic memory-safety bug but a resource-management issue. The effect is real nonetheless, and cheap to reproduce: an 11-byte packet is enough to make a server pre-allocate memory it never fills, and the interplay with glibc's allocator behavior turns that into persistent fragmentation rather than a transient blip. Anyone running TLS termination with OpenSSL shouldn't defer this patch just because it lacks a formal CVE number — classification and actual risk diverge here.
Sources
Only the source above was available for HollowByte at the time of this post; an official OpenSSL advisory or release announcement with the exact commit/changelog references could not be independently verified in addition. Details such as the CVSS rating, official designation, and commit history should be cross-checked against the OpenSSL release notes of the named versions before making far-reaching decisions.
I audit your TLS termination points for patch status, set up memory and connection monitoring, and harden handshake timeouts and connection limits as an additional line of defense.
OpenSSL version audit across all TLS-terminating components, memory monitoring beyond simple thresholds, handshake-timeout and rate-limiting hardening.
Ongoing platform operations, not paper advice: I continuously check, patch, and harden your infrastructure.
About the author
![[Translate to English:] Foto von Kai Ole Hartwig.](/fileadmin/_processed_/e/9/csm_ole-neu_73323ad80d.jpeg)
Kai Ole Hartwig
Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.
