Heartbleed (CVE-2014-0160).

Disclosed in April 2014 and found independently by Google's Neel Mehta and the Finnish firm Codenomicon, Heartbleed (CVE-2014-0160) is a missing bounds check in OpenSSL 1.0.1 through 1.0.1f in the TLS/DTLS heartbeat extension (RFC 6520). A heartbeat request carries a payload plus a length field; the vulnerable code trusted the attacker-supplied length without checking it against the actual payload, so the server copied up to 64 KB of adjacent heap memory into the reply with memcpy. Each request leaked a fresh slice — silently, without authentication, and leaving no log entry on the victim.

The exposed memory commonly contained private RSA keys, session cookies, usernames, passwords and decrypted message bodies. Real incidents followed quickly: the Canada Revenue Agency lost roughly 900 taxpayer social-insurance numbers, and the Community Health Systems breach exposed about 4.5 million patient records via a vulnerable Juniper VPN appliance. Because Perfect Forward Secrecy was rare in 2014, a stolen private key let attackers decrypt previously captured traffic. The fix shipped the next day in OpenSSL 1.0.1g, which validates the length. Correct remediation also meant rotating every certificate and key and invalidating all sessions, since the exfiltration was undetectable.

flowchart TD
  A[Attacker] -->|"Heartbeat: 1-byte payload, claims 64 KB"| B[OpenSSL 1.0.1-1.0.1f]
  B --> C{Length checked<br/>against payload?}
  C -->|"No (vulnerable)"| D["memcpy reads 64 KB<br/>of adjacent heap memory"]
  D --> E[Reply leaks RSA keys,<br/>session cookies, passwords]
  E --> A
  C -->|"Yes (1.0.1g+)"| F[Reply echoes only<br/>the real payload]