CVE-2025-25199 Overview
CVE-2025-25199 is a memory leak vulnerability [CWE-401] in the github.com/microsoft/go-crypto-winnative package, which provides a Go crypto backend for Windows using the Cryptography API: Next Generation (CNG). Calls to cng.TLS1PRF fail to release the underlying key handle, leaking a small amount of memory on every invocation. Repeated calls in long-running services that perform TLS 1.0/1.1 PRF operations exhaust available memory and lead to a denial-of-service condition. The issue is fixed in commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, included in Microsoft build of Go versions 1.23.6-2 and 1.22.12-2, and in pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the package.
Critical Impact
Remote, unauthenticated attackers can trigger repeated cng.TLS1PRF calls to exhaust process memory and crash services built with affected versions of the Microsoft Go cryptographic backend.
Affected Products
- github.com/microsoft/go-crypto-winnative prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41
- Microsoft build of Go versions prior to 1.23.6-2
- Microsoft build of Go versions prior to 1.22.12-2
Discovery Timeline
- 2025-02-12 - CVE-2025-25199 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-25199
Vulnerability Analysis
The vulnerability resides in the cng.TLS1PRF function within the cng/tls1prf.go source file. The function calls bcrypt.GenerateSymmetricKey to create a CNG symmetric key handle from the secret material. It then derives output bytes using the TLS 1.0/1.1 pseudo-random function. The function returns without calling bcrypt.DestroyKey to release the handle. Each invocation leaks the key object inside the CNG provider, consuming a small amount of process and kernel memory.
Applications that invoke TLS1PRF repeatedly, such as TLS servers performing legacy handshakes or key derivation services, accumulate leaked handles over time. The leak is reachable over the network without authentication when the exposed Go service drives PRF calculations from attacker-controlled connections. Sustained traffic drives the process toward memory exhaustion and eventual termination.
Root Cause
The root cause is a missing resource release. The function obtains a CNG key handle but lacks a defer bcrypt.DestroyKey(kh) statement before exiting. The handle remains allocated until process termination, classifying the defect as a memory leak [CWE-401].
Attack Vector
An attacker reaches the vulnerable code path by repeatedly invoking any network-facing functionality that ultimately calls cng.TLS1PRF. Each request leaks one CNG key handle. No privileges or user interaction are required.
if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, secret, 0); err != nil {
return err
}
+ defer bcrypt.DestroyKey(kh)
buffers := make([]bcrypt.Buffer, 0, 3)
if len(label) > 0 {
Source: GitHub Commit f49c8e1. The patch adds a defer bcrypt.DestroyKey(kh) immediately after the key handle is generated, ensuring the handle is released on every return path.
Detection Methods for CVE-2025-25199
Indicators of Compromise
- Steadily increasing resident memory and handle count in Go processes built with the Microsoft Go toolchain on Windows.
- Process crashes or restarts caused by out-of-memory conditions after sustained TLS or PRF-related traffic.
- Windows Performance counters showing elevated Process\Handle Count and Process\Private Bytes for affected services without a corresponding workload increase.
Detection Strategies
- Inventory Go binaries on Windows hosts and verify the Microsoft Go toolchain version and go-crypto-winnative module pseudoversion embedded in build metadata.
- Run go version -m <binary> against deployed executables to extract module dependencies and flag versions earlier than 0.0.0-20250211154640-f49c8e1379ea.
- Correlate process memory growth trends with inbound TLS handshake volume to identify candidate services exhibiting leak behavior.
Monitoring Recommendations
- Configure alerts on sustained memory growth thresholds for Go services that perform TLS termination or key derivation on Windows.
- Track Windows Event Log entries for application crashes and service restarts on hosts running Microsoft Go workloads.
- Forward process telemetry, including handle counts and working-set size, to a central analytics platform for trend analysis.
How to Mitigate CVE-2025-25199
Immediate Actions Required
- Update the github.com/microsoft/go-crypto-winnative dependency to pseudoversion 0.0.0-20250211154640-f49c8e1379ea or later and rebuild affected binaries.
- Upgrade the Microsoft build of Go to version 1.23.6-2 or 1.22.12-2, then redeploy services that link the CNG crypto backend.
- Restart long-running services that may already hold leaked CNG handles to reclaim memory.
Patch Information
The fix is delivered in commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, which adds defer bcrypt.DestroyKey(kh) to cng.TLS1PRF. The corrected code ships in Microsoft Go 1.23.6-2, 1.22.12-2, and the go-crypto-winnative pseudoversion 0.0.0-20250211154640-f49c8e1379ea. See the GitHub Security Advisory GHSA-29c6-3hcj-89cf for full release details.
Workarounds
- Restrict network exposure of services that invoke cng.TLS1PRF until patched builds are deployed.
- Schedule periodic restarts of vulnerable services to bound memory consumption from accumulated leaks.
- Disable TLS 1.0 and TLS 1.1 cipher suites that rely on the legacy PRF where feasible to reduce reachability of the affected code path.
# Update the Microsoft go-crypto-winnative dependency to a patched pseudoversion
go get github.com/microsoft/go-crypto-winnative@v0.0.0-20250211154640-f49c8e1379ea
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
