diff --git a/changelog/17532.txt b/changelog/17532.txt
new file mode 100644
index 0000000000000..0a0926197c68c
--- /dev/null
+++ b/changelog/17532.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: prevent memory leak when using control group factors in a policy
+```
diff --git a/vault/acl.go b/vault/acl.go
index fc9f353aa8afb..b81a83fd0757b 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -251,7 +251,11 @@ func NewACL(ctx context.Context, policies []*Policy) (*ACL, error) {
 			if pc.Permissions.ControlGroup != nil {
 				if len(pc.Permissions.ControlGroup.Factors) > 0 {
 					if existingPerms.ControlGroup == nil {
-						existingPerms.ControlGroup = pc.Permissions.ControlGroup
+						cg, err := pc.Permissions.ControlGroup.Clone()
+						if err != nil {
+							return nil, err
+						}
+						existingPerms.ControlGroup = cg
 					} else {
 						for _, authz := range pc.Permissions.ControlGroup.Factors {
 							existingPerms.ControlGroup.Factors = append(existingPerms.ControlGroup.Factors, authz)
diff --git a/vault/policy.go b/vault/policy.go
index e80d1657e98dd..7eaa50f0500b9 100644
--- a/vault/policy.go
+++ b/vault/policy.go
@@ -148,6 +148,17 @@ type ControlGroup struct {
 	Factors []*ControlGroupFactor
 }
 
+func (c *ControlGroup) Clone() (*ControlGroup, error) {
+	clonedControlGroup, err := copystructure.Copy(c)
+	if err != nil {
+		return nil, err
+	}
+
+	cg := clonedControlGroup.(*ControlGroup)
+
+	return cg, nil
+}
+
 type ControlGroupFactor struct {
 	Name                   string
 	Identity               *IdentityFactor `hcl:"identity"`