CVE-2025-25199

Name of the Vulnerable Software and Affected Versions: go-crypto-winnative versions prior to 1.23.6-2 go-crypto-winnative versions prior to 1.22.12-2 go-crypto-winnative version 0.0.0-20250211154640-f49c8e1379ea

Description: The issue is related to the go-crypto-winnative Go crypto backend for Windows, which utilizes the Cryptography API: Next Generation (CNG). Calls to cng.TLS1PRF do not release the key handle, resulting in a small memory leak every time.

Recommendations: For go-crypto-winnative versions prior to 1.23.6-2, update to version 1.23.6-2 or later. For go-crypto-winnative versions prior to 1.22.12-2, update to version 1.22.12-2 or later. For go-crypto-winnative version 0.0.0-20250211154640-f49c8e1379ea, no additional action is required as this version already includes the fix. As a temporary workaround, consider restricting the use of the cng.TLS1PRF function until a patch is applied.