U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-1394

Change History

New CVE Received by NIST 3/21/2024 9:00:08 AM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
Red Hat, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Added CWE

								
							
							
						
Red Hat, Inc. CWE-401
Added Description

								
							
							
						
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
Added Reference

								
							
							
						
Red Hat, Inc. https://access.redhat.com/errata/RHSA-2024:1462 [No types assigned]
Added Reference

								
							
							
						
Red Hat, Inc. https://access.redhat.com/security/cve/CVE-2024-1394 [No types assigned]
Added Reference

								
							
							
						
Red Hat, Inc. https://bugzilla.redhat.com/show_bug.cgi?id=2262921 [No types assigned]
Added Reference

								
							
							
						
Red Hat, Inc. https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6 [No types assigned]