CVE-2025-25199
Description
go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to cng.TLS1PRF don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the github.com/microsoft/go-crypto-winnative Go package.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/microsoft/go-crypto-winnativeGo | < 0.0.0-20250211154640-f49c8e1379ea | 0.0.0-20250211154640-f49c8e1379ea |
Patches
1f49c8e1379eaMerge commit from fork
1 file changed · +1 −0
cng/tls1prf.go+1 −0 modified@@ -44,6 +44,7 @@ func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error { if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, secret, 0); err != nil { return err } + defer bcrypt.DestroyKey(kh) buffers := make([]bcrypt.Buffer, 0, 3) if len(label) > 0 {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.