OpenSSL HollowByte memory-exhaustion flaw analysis
๐ก๏ธ OpenSSL received a silent June fix for a denial-of-service issue Okta branded "HollowByte," which causes servers to allocate up to 131 KB per TLS ClientHello before the body arrives. The bug lets attackers exhaust connections and, on glibc systems, fragment the heap so freed memory remains resident until process restart. Fixed releases are 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 dated June 9, but OpenSSL chose to treat the change as a "bug or hardening" without a CVE, advisory, or changelog note.
