diff --git a/changelog/17532.txt b/changelog/17532.txt
new file mode 100644
index 000000000..0a0926197
--- /dev/null
+++ b/changelog/17532.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: prevent memory leak when using control group factors in a policy
+```
diff --git a/vault/acl.go b/vault/acl.go
index 9dffe34f6..7aeb102bd 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -260,7 +260,11 @@ func NewACL(ctx context.Context, policies []*Policy) (*ACL, error) {
 			if pc.Permissions.ControlGroup != nil {
 				if len(pc.Permissions.ControlGroup.Factors) > 0 {
 					if existingPerms.ControlGroup == nil {
-						existingPerms.ControlGroup = pc.Permissions.ControlGroup
+						cg, err := pc.Permissions.ControlGroup.Clone()
+						if err != nil {
+							return nil, err
+						}
+						existingPerms.ControlGroup = cg
 					} else {
 						existingPerms.ControlGroup.Factors = append(existingPerms.ControlGroup.Factors, pc.Permissions.ControlGroup.Factors...)
 					}
diff --git a/vault/policy.go b/vault/policy.go
index 75084c4d8..bdd93bffb 100644
--- a/vault/policy.go
+++ b/vault/policy.go
@@ -149,6 +149,17 @@ type ControlGroup struct {
 	Factors []*ControlGroupFactor
 }
 
+func (c *ControlGroup) Clone() (*ControlGroup, error) {
+	clonedControlGroup, err := copystructure.Copy(c)
+	if err != nil {
+		return nil, err
+	}
+
+	cg := clonedControlGroup.(*ControlGroup)
+
+	return cg, nil
+}
+
 type ControlGroupFactor struct {
 	Name                   string
 	Identity               *IdentityFactor `hcl:"identity"`