CVE-2024-1394
UNKNOWN
Published 2024-03-21T12:16:38.790Z
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2024-1394. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score Metrics
Exploitability: N/A
Impact: N/A
EPSS Score
v2025.03.14
0.009
probability
of exploitation in the wild
There is a 0.9% chance that this vulnerability will be exploited in the wild within the next 30 days.
Updated: 2025-06-25
Exploit Probability
Percentile: 0.749
Higher than 74.9% of all CVEs
Attack Vector Metrics
Impact Metrics
Description
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
Affected Versions:
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
Malicious code in bioql (PyPI)
Affected Products (ENISA)
red hat
red hat openshift container platform 4.14
ENISA Scoring
CVSS Score (3.1)
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
1.020
probability
ENISA References
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
https://nvd.nist.gov/vuln/detail/CVE-2024-1394
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
https://access.redhat.com/errata/RHSA-2024:1462
https://access.redhat.com/errata/RHSA-2024:4378
https://access.redhat.com/errata/RHSA-2024:4379
https://access.redhat.com/errata/RHSA-2024:4502
https://access.redhat.com/errata/RHSA-2024:4581
https://access.redhat.com/errata/RHSA-2024:4591
https://access.redhat.com/errata/RHSA-2024:4672
https://access.redhat.com/errata/RHSA-2024:4699
https://access.redhat.com/errata/RHSA-2024:4761
https://access.redhat.com/errata/RHSA-2024:4762
https://access.redhat.com/errata/RHSA-2024:4960
https://access.redhat.com/errata/RHSA-2024:5258
https://access.redhat.com/errata/RHSA-2024:5634
https://access.redhat.com/errata/RHSA-2024:7262
https://access.redhat.com/security/cve/CVE-2024-1394
https://bugzilla.redhat.com/show_bug.cgi?id=2262921
https://github.com/golang-fips/openssl
https://github.com/golang-fips/openssl/releases/tag/v2.0.1
https://github.com/microsoft/go-crypto-openssl/releases/tag/v0.2.9
https://pkg.go.dev/vuln/GO-2024-2660
https://vuln.go.dev/ID/GO-2024-2660.json
https://access.redhat.com/errata/RHSA-2024:1468
https://access.redhat.com/errata/RHSA-2024:1472
https://access.redhat.com/errata/RHSA-2024:1501
https://access.redhat.com/errata/RHSA-2024:1502
https://access.redhat.com/errata/RHSA-2024:1561
https://access.redhat.com/errata/RHSA-2024:1563
https://access.redhat.com/errata/RHSA-2024:1566
https://access.redhat.com/errata/RHSA-2024:1567
https://access.redhat.com/errata/RHSA-2024:1574
https://access.redhat.com/errata/RHSA-2024:1640
https://access.redhat.com/errata/RHSA-2024:1644
https://access.redhat.com/errata/RHSA-2024:1646
https://access.redhat.com/errata/RHSA-2024:1763
https://access.redhat.com/errata/RHSA-2024:1897
https://access.redhat.com/errata/RHSA-2024:2562
https://access.redhat.com/errata/RHSA-2024:2568
https://access.redhat.com/errata/RHSA-2024:2569
https://access.redhat.com/errata/RHSA-2024:2729
https://access.redhat.com/errata/RHSA-2024:2730
https://access.redhat.com/errata/RHSA-2024:2767
https://access.redhat.com/errata/RHSA-2024:3265
https://access.redhat.com/errata/RHSA-2024:3352
https://access.redhat.com/errata/RHSA-2024:4146
https://access.redhat.com/errata/RHSA-2024:4371
https://access.redhat.com/errata/RHSA-2025:7118
Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
HIGH
Memory leaks in code encrypting and verifying RSA payloads
GHSA-78hx-gp6g-7mj6Advisory Details
Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads.
An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
Affected Packages
Go
github.com/golang-fips/go
ECOSYSTEM:
≥0
≤1.22.1
Go
github.com/golang-fips/openssl/v2
ECOSYSTEM:
≥0
<2.0.1
Go
github.com/microsoft/go-crypto-openssl
ECOSYSTEM:
≥0
≤0.2.8
Go
github.com/microsoft/go-crypto-openssl/openssl
ECOSYSTEM:
≥0
<0.2.9
CVSS Scoring
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Advisory provided by GitHub Security Advisory Database. Published: March 20, 2024, Modified: October 22, 2024
References
Published: 2024-03-21T12:16:38.790Z
Last Modified: 2025-09-25T07:28:31.448Z
Copied to clipboard!