CVE-2025-25199: 
vulnerability analysis and mitigation

CVE-2025-25199 affects go-crypto-winnative, a Go crypto backend for Windows using Cryptography API: Next Generation (CNG). The vulnerability was discovered and disclosed on February 12, 2025. The issue exists in versions prior to 1.23.6-2 and 1.22.12-2 of the Microsoft build of Go, where calls to cng.TLS1PRF fail to release the key handle (GitHub Advisory).

The vulnerability is caused by a failure to properly release key handles in the cng.TLS1PRF function, resulting in a memory leak each time the function is called. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

The primary impact of this vulnerability is on system availability through memory resource exhaustion. Each time the affected function is called, it creates a small memory leak, which over time can accumulate and potentially lead to system performance degradation or instability (GitHub Advisory).

The vulnerability has been fixed in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of Go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the github.com/microsoft/go-crypto-winnative Go package. The fix involves adding a deferred call to destroy the key handle after use (GitHub Commit).