A critical vulnerability, dubbed HollowByte, has been identified impacting OpenSSL servers. This flaw allows unauthenticated attackers to trigger a Denial-of-Service (DoS) condition by sending a malicious payload of merely 11 bytes. The efficiency of this attack—causing significant memory bloat and server instability with minimal bandwidth—makes it a high-risk vector for service disruption. For defenders managing perimeter infrastructure, SSL/TLS termination points, or internal services relying on OpenSSL, this represents a severe availability threat that bypasses traditional volumetric DDoS mitigations. Immediate validation of exposure and patching is paramount.
Technical Analysis
Affected Products: OpenSSL Servers (Linux/Unix variants primarily impacted).
Vulnerability Identifier: Dubbed "HollowByte". (Awaiting CVE assignment at time of writing).
Mechanism of Exploitation: The HollowByte flaw resides in the parsing logic of the OpenSSL library. By crafting a specific 11-byte sequence within the TLS handshake or record layer, an attacker can trigger a memory allocation error. This error causes the server process to enter a loop or allocate excessive memory space (memory bloat), rapidly consuming available system RAM. Once the system memory is exhausted, the OOM (Out of Memory) killer terminates the OpenSSL process, resulting in an immediate service interruption.
Exploitation Requirements:
- Access: Remote, Unauthenticated.
- Complexity: Low. The attack requires only the ability to establish a TCP connection to the SSL/TLS port (typically 443) and transmit the 11-byte payload.
- Impact: High Availability Impact (DoS). No data exfiltration or code execution is implied in the initial reporting.
Exploitation Status: Proof-of-Concept (PoC) code is circulating within security research communities. While no widespread active exploitation campaigns have been confirmed yet, the low complexity of the exploit suggests threat actors will incorporate it into botnet arsenals shortly.
Detection & Response
Detection of HollowByte requires a two-pronged approach: identifying the anomalous network traffic pattern (if visible) and, more reliably, detecting the system-level impact (memory exhaustion and process crashes).
Sigma Rules
---
title: HollowByte Suspicious Small Packet Flood to SSL Port
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential HollowByte exploitation attempts characterized by a high volume of connections to standard SSL ports with very small payload sizes.
references:
- https://www.bleepingcomputer.com/news/security/hollowbyte-ddos-flaw-bloats-openssl-server-memory-with-11-byte-payload/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationPort|startswith: '44'
Initiated: true
filter:
SourceIp|startswith: '192.168.'
SourceIp|startswith: '10.'
condition: selection and not filter | count() by SourceIp > 100
timeframe: 1m
falsepositives:
- Legacy scanners
- Misconfigured health checks
level: high
---
title: OpenSSL Process Crash Due to Memory Exhaustion
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects OpenSSL processes being terminated by the OOM killer, a potential indicator of HollowByte memory bloat exploitation.
references:
- https://www.bleepingcomputer.com/news/security/hollowbyte-ddos-flaw-bloats-openssl-server-memory-with-11-byte-payload/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.impact
- attack.t1499
logsource:
product: linux
service: syslog
detection:
selection:
process|contains: 'openssl'
message|contains:
- 'Out of memory'
- 'Kill process'
falsepositives:
- Legitimate memory exhaustion due to load
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for HollowByte: High frequency of small packets to SSL ports
DeviceNetworkEvents
| where DestinationPort in (443, 8443)
| where BytesReceived < 100 // Threshold for small packets indicative of the 11-byte payload + headers
| summarize Count = count(), TotalBytes = sum(BytesReceived) by SourceIP, DestinationIP, DeviceName
| where Count > 50 // Threshold for flood detection
| order by Count desc
| extend RiskScore = iff(Count > 100, "Critical", "High")
Velociraptor VQL
-- Hunt for OpenSSL processes consuming excessive memory (HollowByte indicator)
SELECT Pid, Name, Exe, Username, MemCommit, CreateTime
FROM pslist()
WHERE Name =~ 'openssl'
AND MemCommit > 500000000 // Memory usage > 500MB as a heuristic for potential bloat
-- Check System Logs for OOM Killer activity targeting OpenSSL
SELECT TimeCreated, Message, Severity
FROM parse_csv(filename='/var/log/syslog', sep=' ')
WHERE Message =~ 'openssl'
AND Message =~ 'Out of memory'
Remediation Script
#!/bin/bash
# HollowByte Remediation Script
# Checks OpenSSL version and applies the critical patch (Mockup for Logic)
OPENSSL_VERSION=$(openssl version | awk '{print $2}')
echo "Current OpenSSL Version: $OPENSSL_VERSION"
# Note: Replace '3.0.15' and '3.3.2' with actual patched versions per vendor advisory upon release.
VULNERABLE_VERSIONS="3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.0.10 3.0.11 3.0.12 3.0.13 3.0.14"
if [[ " $VULNERABLE_VERSIONS " =~ " $OPENSSL_VERSION " ]]; then
echo "[ALERT] System is running a vulnerable version of OpenSSL susceptible to HollowByte."
echo "[ACTION] Initiating update..."
# Debian/Ubuntu
if [ -f /etc/debian_version ]; then
apt-get update && apt-get install --only-upgrade openssl libssl-dev -y
fi
# RHEL/CentOS
if [ -f /etc/redhat-release ]; then
yum update openssl -y
fi
echo "[REMEDIATE] Restarting SSL dependent services (Nginx, Apache)"
systemctl restart nginx 2>/dev/null
systemctl restart apache2 2>/dev/null
systemctl restart httpd 2>/dev/null
echo "[COMPLETE] Patch applied and services restarted."
else
echo "[SAFE] OpenSSL version is not listed in the immediate vulnerable range."
fi
Remediation
- Patch Immediately: Apply the vendor-supplied patch for OpenSSL as soon as it is available. This flaw requires an update to the underlying library; configuration changes alone will not mitigate the memory bloat.
- Restart Services: After patching, ensure all SSL/TLS terminating services (Nginx, Apache, HAProxy, custom daemons) are fully restarted to load the new shared library.
- Rate Limiting (Temporary): While awaiting patch deployment, implement aggressive rate limiting on edge firewalls or WAFs for incoming TCP connections on ports 443 and 8443. While this won't stop the vulnerability, it reduces the velocity of exploitation attempts.
- Resource Monitoring: Configure monitoring alerts to trigger when OpenSSL process memory usage exceeds standard baselines (e.g., > 500MB for a standard worker process) to catch exploitation attempts early.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.