Cybersecurity just now0Add to bookmarks

An 11-byte TLS request is enough to cause OpenSSL server memory to bloat, leading to a denial of service. A formidable asymmetric DoS.
Two independent sources (The Hacker News, BleepingComputer) report on July 17, 2026, a vulnerability named HollowByte in OpenSSL. The principle: a TLS request of only 11 bytes causes disproportionate memory allocation on the server side, up to saturation. This is a class of attack known as memory amplification DoS.
Almost everything that speaks TLS on the Internet and has not yet migrated to a corrected version: Apache/Nginx servers, API backends, reverse proxies, OpenVPN/strongSwan VPNs, mail servers. The critical distinction will be between the affected versions of OpenSSL (LTS 3.x and earlier branches still supported) - to be confirmed on the official advisory openssl.org/news/vulnerabilities.html.
A ratio of 11 bytes ➜ several megabytes of RAM is an operational nightmare: the cost for the attacker is ridiculous (one connection, one packet), the cost for the victim is massive (memory, CPU to free, potential crash). This is a classic of asymmetric DoS attacks, a distant cousin of DNS or NTP amplification attacks from the 2010s.
Note: this is not an RCE, not a memory leak like Heartbleed (which exposed data). It is a denial of service. The business consequence: unavailability, not exfiltration. But an API backend that goes down for an hour during peak hours can be very expensive.
The fact that two sources (The Hacker News, BleepingComputer) report the matter a few hours apart on the same day indicates that the OpenSSL advisory is probably already published or imminent. Public PoCs usually follow within 24-48 hours for this type of well-documented vulnerabilities.
apt update && apt upgrade openssl libssl3 on Debian/Ubuntu, yum update openssl on RHEL).openssl version -a.limit_conn, Cloudflare: rate limiting).The official CVE number, the exact range of vulnerable versions, and the names of affected variants (BoringSSL, LibreSSL, WolfSSL - forks sometimes share the same bugs) remain to be confirmed on the OpenSSL advisory. We will follow up.
An asymmetric DoS attack is an attacker who spends 1 to make you spend 1000. HollowByte pushes the ratio to the extreme with 11 bytes sent against several megabytes blocked.
Article produced by artificial intelligence, reviewed under human editorial control.