CVE-2024-1394

HIGH

GO < 2.0.1 - Memory Leak

Title source: rule

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

References (46)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:4379

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:4502

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:4581

[Various Sources] https://pkg.go.dev/vuln/GO-2024-2660

[Various Sources] https://vuln.go.dev/ID/GO-2024-2660.json

[Patch] https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

View Patch ZIP pw:eip

[Patch] https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:4378

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1462

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1468

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1472

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1501

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1502

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1561

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1563

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1566

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1567

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1574

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1640

... and 26 more

Scores

CVSS v3 7.5

EPSS 0.0102

EPSS Percentile 77.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401

Status draft

Affected Products (4)

golang-fips/go Go

golang-fips/openssl < 2.0.1Go

microsoft/go-crypto-openssl Go

microsoft/go-crypto-openssl < 0.2.9Go

Timeline

Published Mar 21, 2024

Tracked Since Feb 18, 2026