vulnerability

Red Hat OpenShift: CVE-2024-1394: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Mar 21, 2024	Apr 3, 2024	Mar 30, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Mar 21, 2024

Added

Apr 3, 2024

Modified

Mar 30, 2026

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Solutions

linuxrpm-upgrade-buildahlinuxrpm-upgrade-butanelinuxrpm-upgrade-conmonlinuxrpm-upgrade-containernetworking-pluginslinuxrpm-upgrade-cri-olinuxrpm-upgrade-cri-toolslinuxrpm-upgrade-ignitionlinuxrpm-upgrade-microshiftlinuxrpm-upgrade-openshiftlinuxrpm-upgrade-openshift-ansiblelinuxrpm-upgrade-openshift-clientslinuxrpm-upgrade-openshift-kuryrlinuxrpm-upgrade-openshift4-aws-isolinuxrpm-upgrade-ose-aws-ecr-image-credential-providerlinuxrpm-upgrade-podmanlinuxrpm-upgrade-rhcoslinuxrpm-upgrade-runclinuxrpm-upgrade-skopeo

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today