A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References
Link Providers
https://access.redhat.com/errata/RHSA-2024:1462 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1468 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1472 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1501 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1502 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1561 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1563 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1566 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1567 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1574 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1640 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1644 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1646 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1763 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1897 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2562 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2568 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2569 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2729 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2730 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2767 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3265 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3352 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4146 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4371 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4378 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4379 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4502 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4581 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4591 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4672 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4699 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4761 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4762 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4960 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:5258 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:5634 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:7262 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:7118 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-1394 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2262921 cve-icon cve-icon
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136 cve-icon cve-icon cve-icon
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6 cve-icon cve-icon cve-icon
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-1394 cve-icon
https://pkg.go.dev/vuln/GO-2024-2660 cve-icon cve-icon cve-icon
https://vuln.go.dev/ID/GO-2024-2660.json cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-1394 cve-icon
History

Thu, 10 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:certifications:1::el9 cpe:/a:redhat:certifications:9::el9

Tue, 13 May 2025 08:45:00 +0000

Type Values Removed Values Added
References

Tue, 10 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_devspaces:3:: cpe:/a:redhat:openshift_devspaces:3:

Mon, 09 Dec 2024 10:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_devspaces:3::el8 cpe:/a:redhat:openshift_devspaces:3::

Thu, 26 Sep 2024 23:15:00 +0000

Type Values Removed Values Added
References

Mon, 23 Sep 2024 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 21 Aug 2024 04:00:00 +0000

Type Values Removed Values Added
References

Tue, 13 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 07 Aug 2024 16:45:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-25T07:28:31.448Z

Reserved: 2024-02-09T06:02:35.056Z

Link: CVE-2024-1394

cve-icon Vulnrichment

Updated: 2024-08-01T18:40:20.583Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-21T13:00:08.037

Modified: 2025-05-13T09:15:19.360

Link: CVE-2024-1394

cve-icon Redhat

Severity : Important

Publid Date: 2024-03-20T00:00:00Z

Links: CVE-2024-1394 - Bugzilla

cve-icon OpenCVE Enrichment

No data.