{"id":"GO-2024-2660","summary":"Memory leak in github.com/golang-fips/openssl/v2 and github.com/microsoft/go-crypto-openssl","details":"Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.","aliases":["CVE-2024-1394","GHSA-78hx-gp6g-7mj6"],"modified":"2026-02-04T03:12:10.705443Z","published":"2024-03-27T22:08:48Z","related":["RHSA-2024:1462","RHSA-2024:1468","RHSA-2024:1472","RHSA-2024:1501","RHSA-2024:1502","RHSA-2024:1561","RHSA-2024:1563","RHSA-2024:1566","RHSA-2024:1567","RHSA-2024:1574","RHSA-2024:1640","RHSA-2024:1644","RHSA-2024:1646","RHSA-2024:1763","RHSA-2024:1897","RHSA-2024:2562","RHSA-2024:2568","RHSA-2024:2569","RHSA-2024:2729","RHSA-2024:2730","RHSA-2024:2767","RHSA-2024:3265","RHSA-2024:3352","RHSA-2024:4146","RHSA-2024:4371","RHSA-2024:4378","RHSA-2024:4379","RHSA-2024:4502","RHSA-2024:4581","RHSA-2024:4672","RHSA-2024:4761","RHSA-2024:4762","RHSA-2024:5258","RHSA-2024:5634","RHSA-2024:7262","RHSA-2025:7118"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2660","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136"},{"type":"FIX","url":"https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f"}],"affected":[{"package":{"name":"github.com/golang-fips/openssl/v2","ecosystem":"Go","purl":"pkg:golang/github.com/golang-fips/openssl/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/golang-fips/openssl/v2","symbols":["DecryptRSANoPadding","DecryptRSAOAEP","DecryptRSAPKCS1","EncryptRSANoPadding","EncryptRSAOAEP","EncryptRSAPKCS1","NewGCMTLS","NewGCMTLS13","NewRC4Cipher","SignMarshalECDSA","SignRSAPKCS1v15","SignRSAPSS","VerifyECDSA","VerifyRSAPKCS1v15","VerifyRSAPSS","aesCipher.Decrypt","aesCipher.Encrypt","aesCipher.NewCBCDecrypter","aesCipher.NewCBCEncrypter","aesCipher.NewCTR","aesCipher.NewGCM","aesCipher.NewGCMTLS","aesCipher.NewGCMTLS13","desCipher.Decrypt","desCipher.Encrypt","desCipher.NewCBCDecrypter","desCipher.NewCBCEncrypter","desCipherWithoutCBC.Decrypt","desCipherWithoutCBC.Encrypt","newCipherCtx","noGCM.Decrypt","noGCM.Encrypt","setupEVP"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2660.json"}},{"package":{"name":"github.com/microsoft/go-crypto-openssl","ecosystem":"Go","purl":"pkg:golang/github.com/microsoft/go-crypto-openssl"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.2.9"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/microsoft/go-crypto-openssl/openssl","symbols":["DecryptRSANoPadding","DecryptRSAOAEP","DecryptRSAOAEPWithMGF1Hash","DecryptRSAPKCS1","EncryptRSANoPadding","EncryptRSAOAEP","EncryptRSAOAEPWithMGF1Hash","EncryptRSAPKCS1","SignMarshalECDSA","SignRSAPKCS1v15","SignRSAPSS","VerifyECDSA","VerifyRSAPKCS1v15","VerifyRSAPSS","setupEVP"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2660.json"}}],"schema_version":"1.7.3","credits":[{"name":"@qmuntal and @r3kumar"}]}