{"id":"CVE-2024-1394","details":"A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs\u200b. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey\u200b and ctx\u200b. That function uses named return parameters to free pkey\u200b and ctx\u200b if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the \"return nil, nil, fail(...)\" pattern, meaning that pkey\u200b and ctx\u200b will be nil inside the deferred function that should free them.","aliases":["GHSA-78hx-gp6g-7mj6","GO-2024-2660"],"modified":"2026-03-20T12:34:02.124580Z","published":"2024-03-21T13:00:08.037Z","related":["ALSA-2024:1462","ALSA-2024:1472","ALSA-2024:1501","ALSA-2024:1502","ALSA-2024:1644","ALSA-2024:1646","ALSA-2024:2562","ALSA-2024:2568","ALSA-2024:2569","ALSA-2024:3265","ALSA-2024:4371","ALSA-2024:4378","ALSA-2024:4379","ALSA-2024:4502","ALSA-2024:4761","ALSA-2024:4762","ALSA-2024:5258","ALSA-2024:7262","ALSA-2025:7118","GHSA-78hx-gp6g-7mj6","RLSA-2024:2562"],"references":[{"type":"WEB","url":"https://vuln.go.dev/ID/GO-2024-2660.json"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2024-2660"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-1394"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1563"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1640"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2562"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2767"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:5258"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2568"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2569"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4378"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1468"},{"type":"ADVISORY","url":"https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1472"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1502"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1897"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:3352"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4761"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4762"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1462"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1561"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1574"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1644"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1763"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4371"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4591"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4960"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1501"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1566"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1646"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4146"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4502"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4699"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:7262"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:7118"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2730"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4672"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:5634"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:1567"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:2729"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:3265"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4379"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4581"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262921"},{"type":"FIX","url":"https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136"},{"type":"FIX","url":"https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang-fips/openssl","events":[{"introduced":"0"},{"fixed":"85d31d0d257ce842c8a1e63c4d230ae850348136"}]},{"type":"GIT","repo":"https://github.com/microsoft/go-crypto-openssl","events":[{"introduced":"0"},{"fixed":"104fe7f6912788d2ad44602f77a0a0a62f1f259f"}]},{"type":"GIT","repo":"https://github.com/golang-fips/openssl","events":[{"introduced":"0"},{"fixed":"85d31d0d257ce842c8a1e63c4d230ae850348136"}]},{"type":"GIT","repo":"https://github.com/microsoft/go-crypto-openssl","events":[{"introduced":"0"},{"fixed":"104fe7f6912788d2ad44602f77a0a0a62f1f259f"}]}],"versions":["v0.1.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.2.7","v0.2.8","v2.0.0","v2.0.0-rc.1","v2.0.0-rc.2","v2.0.0-rc.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1394.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}