Eleven bytes will cause an unpatched OpenSSL server to set aside up to 131 KB of memory for a message that never arrives. On the glibc system tested by Okta, that memory is gone until the process is restarted.
OpenSSL sent Holobyte Fix this in June with no CVE, no advisory and no changelog entry. Okta’s Red Team, which reported the denial of service bug and named it, published details on Thursday.
The confirmed releases are OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, all dated June 9. Every release on those branches is preceded by certain branches. Nothing in the normal patch pipeline will point you to them: there is no identifier to match the scanner and no advice to read.
The drawback is that OpenSSL took the attacker’s word for it. Each TLS handshake message has a 4-byte header, three bytes of which declare how long the body will be. Older versions expanded the receive buffer to that declared size as soon as the header was landed, before a single byte of the body had appeared, and before the handshake’s own checks had run.
The maximum limit for inbound ClientHello is 131 KB. Then the worker thread blocks, waiting for a body that never arrives. No authentication, no session, no key exchange.
memory does not come back
In itself, this is a connection-exhaustion attack, and they are as old as Sloloris. What makes glibc holobyte stick. When the attacker drops the connection, OpenSSL frees the buffer, but glibc keeps small and medium fragments for reuse rather than returning them to the kernel.
The claimed size of the attack varies on every connection, and in Okta’s tests, this was enough to prevent the allocator from reusing what it had freed. Pieces of the pile, the inhabitants climb to the set size, and it remains climbed long after the attacker has left.
In Okta’s NGINX testing, a 1GB server was OOM-killed with 547MB of memory in pieces. On a 16GB server, Holobyte locked 25% of system memory without exceeding the connection limit, which is why the Red Team says “standard connection-limiting protections wouldn’t stop this”.
Those figures are Okta’s own, and it did not publish any exploit code with them. Hacker News could not find any public proof-of-concept repository on GitHub as of July 18.
OpenSSL decided this is not a vulnerability
The pull request from Matt Caswell, who wrote the patch, states this clearly: The security team “chose to handle this simply as a ‘bug or hardening’ fix”. OpenSSL’s own security policy defines four severity levels, from Critical down to Low, and “bug or hardening” is not among them.
Even a low score earns a CVE, a changelog note, and an entry on the vulnerabilities page. Holobyte has none of the three. Hacker News found no mention of the fix in the release notes or all 23 entries in OpenSSL’s 4.0.1 changelog.
OpenSSL did not explain why. Here’s the case for them: 131 KB per connection is small, each TLS server allocates memory per connection, and a limited allocation is not a vulnerability. Okta’s answer is that the memory never comes back.
Hacker News has asked OpenSSL why Holobyte was triaged down to Low, and whether the fix had reached the extended-support 1.1.1 and 1.0.2 branches. It also asked Okta whether fragmentation avoids allocators other than glibc. This story will be updated with any response.
The line of the project is much better than it seems. In January, OpenSSL assigned low rating CVE-2025-66199 to a TLS 1.3 certificate-compression bug in which a heap buffer grew before peer-supplied length validation, amounting to approximately 22 MB per connection.
It needed four things to queue up: certificate compression compiled, a compression algorithm available, the extension negotiated, and, on the server, the client certificate requested. Holobyte doesn’t need any of this.
The same June 9 release assigned a medium rating to CVE-2026-34183 for unbounded memory growth in the QUIC PATH_CHALLENGE handler. Both are memory-exhaustion DoS. Both got marks.
The release also closed 18 CVEs, including a high-severity use-after-free in PKCS7_verify(), so anyone running one of those upstream builds is fixed without notice.
Downstream is worse. Red Hat’s documented default is to backport rather than migrate versions, so a patched package still reports the version from which it was built. A common solution is to use ADVICE and OVAL feeds, both of which are associated with CVE names. There is no CVE to key here.
That leaves the package changelog or maintainer: Ask if they’ve rebased or patched the June 9 release, which is pull request 30792 for master and 4.0, 30793 for 3.6, 3.5 and 3.4, and 30794 for 3.0.
If you build OpenSSL yourself, upgrade to the listed release and restart whatever old one is loaded.
This improvement covers TLS only. Caswell wrote on the pull request that DTLS was left alone because doing it properly would have been far too invasive, and the project decided not to bother with it for now. Hacker News compared the source of OpenSSL on 3.6.2 and 3.6.3 tags and found the DTLS handshake file bytes to be identical in all fixes. In 4.0.1, the latest release, that path still sizes its buffer by the length declared by the peer.
OpenSSL has not classified that path or committed to fixing it. The release notes, changelog and vulnerabilities page don’t say anything about it. Pull requests.