OpenSSL Bug Silently Devours Memory
A newly identified memory-fragmentation flaw in OpenSSL allows attackers to exhaust server resources without triggering standard defenses.
A critical oversight in memory management within OpenSSL has surfaced, enabling a denial-of-service condition that effectively freezes server resources. By transmitting a mere 11-byte request, an attacker can trick an unpatched server into reserving up to 131 KB of memory, which fails to return to the system pool even after the connection terminates.
The Mechanics of Memory Exhaustion
The vulnerability stems from how OpenSSL handles incoming TLS handshake headers. Before verifying the authenticity or content of a transmission, the system reads a 4-byte header that includes a length declaration. Historically, OpenSSL would immediately allocate a buffer matching this declared size. When combined with the behavior of glibc, the issue escalates; while the memory is technically freed, the allocator fails to return it to the kernel, causing the heap to fragment and the process's resident set size to grow indefinitely.
This persistent memory leak ensures that a server's footprint expands with every malicious connection attempt. Because this behavior bypasses traditional request limits, it creates an unconventional stability risk for infrastructure.
A Quiet Patching Cycle
Despite the severity of the memory exhaustion, OpenSSL developers opted to categorize the fix as a maintenance hardening measure rather than a formal security vulnerability. Consequently, the June 9 release contained no CVE identifier and no explicit advisory, leaving many security teams unaware of the underlying risk.
standard connection-limiting defenses won't stop it
— The Red Team, Okta
Quantifiable System Impact
- 11 bytes: The minimum size of a malicious TLS request required to trigger the buffer allocation.
- 131 KB: The maximum amount of memory reserved per connection for a ClientHello message.
- 547 MB: The amount of memory frozen in fragments during testing on a 1 GB server before an OOM-kill event occurred.
- 25%: The percentage of system memory consumed on a 16 GB server without exceeding typical connection thresholds.
Navigating Unlabeled Security Fixes
The lack of a formal CVE creates significant friction for downstream maintainers. Because security scanners rely on CVE databases and OVAL feeds to detect vulnerable versions, this flaw remains invisible to most automated auditing tools. Organizations relying on distributions like Red Hat, which utilize backporting, may find that their software reports an older version number despite potentially containing the patched code. Administrators must verify if their current builds incorporate the fixes found in versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21. For those manually managing dependencies, the relevant pull request history serves as the primary audit trail, as the standard documentation remains silent on this specific threat.
Continue Reading
AI Spam Filters Falter Against Salting
Modern LLM-powered email security is struggling to identify phishing attempts that use decades-old text-hiding techniques.
GPT-5.6 Data Erasure: An Honest Error?
OpenAI confirms that its latest model occasionally wipes user files, attributing the behavior to internal alignment miscalculations.
Critical Path Traversal Flaw Found in IBM Langflow OSS
A critical vulnerability in IBM Langflow OSS allows for arbitrary file writes, posing a severe risk to systems utilizing the APIRequest component.