CVE-2024-1394: Missing Release of Memory after Effective Lifetime in Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
AI Analysis
Technical Summary
A memory leak vulnerability (CVE-2024-1394) exists in the Golang RSA encrypting/decrypting code used in Red Hat Ansible Automation Platform 2.4 for RHEL 8. The leak occurs because the function responsible for freeing memory objects pkey and ctx does not properly release them when errors occur, due to the use of named return parameters and a specific error return pattern that results in nil pointers inside the deferred cleanup function. This flaw can lead to resource exhaustion if attacker-controlled inputs trigger repeated leaks. Red Hat has released security updates for golang packages that fix this issue across various Red Hat Enterprise Linux 9 variants and Red Hat Developer Tools. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability.
Potential Impact
The vulnerability can cause resource exhaustion on affected systems by leaking memory during RSA encryption/decryption operations in Golang code. This results in a denial-of-service condition impacting availability. There is no impact on confidentiality or integrity. No known active exploitation has been reported. The issue affects Red Hat Ansible Automation Platform 2.4 for RHEL 8 and other Red Hat products using the vulnerable golang packages.
Mitigation Recommendations
Red Hat has released official security updates for golang packages that address this memory leak vulnerability. Users should apply the relevant Red Hat errata and security advisories (RHSA-2024:1462, RHSA-2024:1468) to update golang packages on affected systems. Before applying updates, ensure all previously released errata are applied. Detailed update instructions are available from Red Hat's official documentation. No additional mitigations are required beyond applying the provided patches.
CVE-2024-1394: Missing Release of Memory after Effective Lifetime in Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8
Description
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A memory leak vulnerability (CVE-2024-1394) exists in the Golang RSA encrypting/decrypting code used in Red Hat Ansible Automation Platform 2.4 for RHEL 8. The leak occurs because the function responsible for freeing memory objects pkey and ctx does not properly release them when errors occur, due to the use of named return parameters and a specific error return pattern that results in nil pointers inside the deferred cleanup function. This flaw can lead to resource exhaustion if attacker-controlled inputs trigger repeated leaks. Red Hat has released security updates for golang packages that fix this issue across various Red Hat Enterprise Linux 9 variants and Red Hat Developer Tools. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability.
Potential Impact
The vulnerability can cause resource exhaustion on affected systems by leaking memory during RSA encryption/decryption operations in Golang code. This results in a denial-of-service condition impacting availability. There is no impact on confidentiality or integrity. No known active exploitation has been reported. The issue affects Red Hat Ansible Automation Platform 2.4 for RHEL 8 and other Red Hat products using the vulnerable golang packages.
Mitigation Recommendations
Red Hat has released official security updates for golang packages that address this memory leak vulnerability. Users should apply the relevant Red Hat errata and security advisories (RHSA-2024:1462, RHSA-2024:1468) to update golang packages on affected systems. Before applying updates, ensure all previously released errata are applied. Detailed update instructions are available from Red Hat's official documentation. No additional mitigations are required beyond applying the provided patches.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-02-09T06:02:35.056Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2024:1462","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1468","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1472","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1501","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1502","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1561","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1563","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1566","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1567","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1574","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1640","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1644","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1646","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1763","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:1897","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2562","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2568","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2569","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2729","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2730","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:2767","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:3265","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:3352","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4146","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4371","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4378","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4379","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4502","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4581","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4591","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4672","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4699","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4761","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4762","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:4960","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:5258","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:5634","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2024:7262","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:7118","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2024-1394","vendor":"Red Hat"}]
Threat ID: 682d9816c4522896dcbd66f4
Added to database: 5/21/2025, 9:08:38 AM
Last enriched: 4/27/2026, 12:02:57 AM
Last updated: 5/9/2026, 6:30:32 AM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.