CVE-2014-0160
7.594.47%
Heartbleed: The 64KB Key to the Kingdom
Alon Barad
Software EngineerJan 2, 2026·7 min read·11 visits
Active ExploitationCISA KEV Listed
Executive Summary (TL;DR)
OpenSSL trusted the user-supplied length field in Heartbeat packets without verifying the actual payload size. This allowed attackers to 'over-read' the heap, leaking sensitive data like SSL private keys and user passwords. It affected nearly two-thirds of the internet upon disclosure.
A catastrophic missing bounds check in the OpenSSL Heartbeat extension allowed remote attackers to read up to 64KB of process memory, exposing private keys, session tokens, and user credentials.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NEPSS Probability
94.47%
Top 1% most exploited
200,000
Estimated exposed hosts via Shodan
Affected Systems
Apache HTTP ServernginxOpenVPNEmail Servers (SMTP/IMAP/POP3)Load BalancersEmbedded IoT Devices
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenSSL OpenSSL Software Foundation | 1.0.1 - 1.0.1f | 1.0.1g |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-126 (Buffer Over-read) |
| CVSS Score | 7.5 (High) |
| Attack Vector | Network |
| EPSS Score | 94.47% |
| Exploit Status | Active / Weaponized |
| Impact | Information Disclosure (Critical) |
MITRE ATT&CK Mapping
CWE-126
Buffer Over-read
The software reads from a buffer using length parameters that attacker can control, allowing access to memory outside the intended buffer.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered by Google Security and Codenomicon
2014-03-21
Public Disclosure and Patch Release (OpenSSL 1.0.1g)
2014-04-07
Added to CISA KEV Catalog
2022-05-04