VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Mar 21, 2024· Updated Apr 15, 2026

CVE-2024-1394

CVE-2024-1394

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/golang-fips/goGo
<= 1.22.1
github.com/golang-fips/openssl/v2Go
< 2.0.12.0.1
github.com/microsoft/go-crypto-opensslGo
<= 0.2.8
github.com/microsoft/go-crypto-openssl/opensslGo
< 0.2.90.2.9

Patches

2
85d31d0d257c

Merge pull request from GHSA-78hx-gp6g-7mj6

https://github.com/golang-fips/opensslGeorge AdamsMar 20, 2024via ghsa
commit
2 files changed · +11 11
  • cipher.go+2 2 modified
    @@ -533,12 +533,12 @@ func sliceForAppend(in []byte, n int) (head, tail []byte) {
 	return
 }
 
-func newCipherCtx(kind cipherKind, mode cipherMode, encrypt cipherOp, key, iv []byte) (ctx C.GO_EVP_CIPHER_CTX_PTR, err error) {
+func newCipherCtx(kind cipherKind, mode cipherMode, encrypt cipherOp, key, iv []byte) (_ C.GO_EVP_CIPHER_CTX_PTR, err error) {
 	cipher := loadCipher(kind, mode)
 	if cipher == nil {
 		panic("crypto/cipher: unsupported cipher: " + kind.String())
 	}
-	ctx = C.go_openssl_EVP_CIPHER_CTX_new()
+	ctx := C.go_openssl_EVP_CIPHER_CTX_new()
 	if ctx == nil {
 		return nil, fail("unable to create EVP cipher ctx")
 	}
  • evp.go+9 9 modified
    @@ -149,7 +149,15 @@ type verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size
 
 func setupEVP(withKey withKeyFunc, padding C.int,
 	h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
-	init initFunc) (ctx C.GO_EVP_PKEY_CTX_PTR, err error) {
+	init initFunc) (_ C.GO_EVP_PKEY_CTX_PTR, err error) {
+	var ctx C.GO_EVP_PKEY_CTX_PTR
+	withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
+		ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
+		return 1
+	})
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new failed")
+	}
 	defer func() {
 		if err != nil {
 			if ctx != nil {
@@ -158,14 +166,6 @@ func setupEVP(withKey withKeyFunc, padding C.int,
 			}
 		}
 	}()
-
-	withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
-		ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
-		return 1
-	})
-	if ctx == nil {
-		return nil, newOpenSSLError("EVP_PKEY_CTX_new failed")
-	}
 	if err := init(ctx); err != nil {
 		return nil, err
 	}
104fe7f69127

Fix memory leak in setupEVP

https://github.com/microsoft/go-crypto-opensslqmuntalFeb 8, 2024via ghsa
commit
1 file changed · +9 9
  • openssl/evpkey.go+9 9 modified
    @@ -101,7 +101,15 @@ type verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size
 
 func setupEVP(withKey withKeyFunc, padding C.int,
 	h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
-	init initFunc) (ctx C.GO_EVP_PKEY_CTX_PTR, err error) {
+	init initFunc) (_ C.GO_EVP_PKEY_CTX_PTR, err error) {
+	var ctx C.GO_EVP_PKEY_CTX_PTR
+	withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
+		ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
+		return 1
+	})
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new failed")
+	}
 	defer func() {
 		if err != nil {
 			if ctx != nil {
@@ -110,14 +118,6 @@ func setupEVP(withKey withKeyFunc, padding C.int,
 			}
 		}
 	}()
-
-	withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
-		ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
-		return 1
-	})
-	if ctx == nil {
-		return nil, newOpenSSLError("EVP_PKEY_CTX_new failed")
-	}
 	if err := init(ctx); err != nil {
 		return nil, err
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

50

News mentions

0

No linked articles in our index yet.