VYPR
High severity7.5OSV Advisory· Published Mar 21, 2024· Updated Apr 15, 2026

CVE-2024-1394

CVE-2024-1394

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/golang-fips/goGo
<= 1.22.1
github.com/golang-fips/openssl/v2Go
< 2.0.12.0.1
github.com/microsoft/go-crypto-opensslGo
<= 0.2.8
github.com/microsoft/go-crypto-openssl/opensslGo
< 0.2.90.2.9

Affected products

62

Patches

Vulnerability mechanics

References

50

News mentions

0

No linked articles in our index yet.