Clarkb7

Name of the Vulnerable Software and Affected Versions: go-crypto-winnative versions prior to 1.23.6-2 go-crypto-winnative versions prior to 1.22.12-2 go-crypto-winnative version 0.0.0-20250211154640-f49c8e1379ea Description: The issue is related to the go-crypto-winnative Go crypto backend for Windows, which utilizes the Cryptography API: Next Generation (CNG). Calls to `cng.TLS1PRF` do not release the key handle, resulting in a small memory leak every time. Recommendations: For go-crypto-winnative versions prior to 1.23.6-2, update to version 1.23.6-2 or later. For go-crypto-winnative versions prior to 1.22.12-2, update to version 1.22.12-2 or later. For go-crypto-winnative version 0.0.0-20250211154640-f49c8e1379ea, no additional action is required as this version already includes the fix. As a temporary workaround, consider restricting the use of the `cng.TLS1PRF` function until a patch is applied.