CVE-2025-25199: Memory leak vulnerability in go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG)

In this long read post, we will discuss the CVE-2025-25199 vulnerability that exists in the go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). We will go over the details of the vulnerability, provide code snippets, and show how it has been fixed in the latest versions. We will also provide links to the original references and discuss the exploit details.

Vulnerability description

The go-crypto-winnative package is a Go crypto backend for Windows using the Cryptography API: Next Generation (CNG). It has been discovered that prior to commit f49c8e1379ea4b147d5bff1b3be5bff45792e41, calls to cng.TLS1PRF function would not release the key handle, resulting in a small memory leak every time the function was called. This bug could potentially lead to denial of service attacks or further exploitation.

Microsoft build of go: 1.23.6-2 and 1.22.12-2

- Pseudoversion ..-20250211154640-f49c8e1379ea of the github.com/microsoft/go-crypto-winnative Go package

Fix and upgrade details

Commit f49c8e1379ea4b147d5bff1b3be5bff45792e41 contains the fix for the issue, which ensures that the key handle is properly released after each call to cng.TLS1PRF function. The fix is included in the above-mentioned versions of the Microsoft build of Go and the github.com/microsoft/go-crypto-winnative Go package.

To upgrade your Go installation, follow the official Go installation instructions for your operating system.

If you are using the github.com/microsoft/go-crypto-winnative Go package in your project, update the package dependency to the fixed pseudoversion:

github.com/microsoft/go-crypto-winnative v..-20250211154640-f49c8e1379ea

You can do this by running the following command

go get github.com/microsoft/go-crypto-winnative@v..-20250211154640-f49c8e1379ea

Below is a code snippet demonstrating the issue and the fix applied in the mentioned commit

// Before the fix, the key handle was not being released properly:
func (k *Key) TLS1PRF(salt, label, seed []byte, outLen int) ([]byte, error) {
	/* ... some code ... */
	nk, err := cng.BCryptDeriveKey(k.h, &buf[], bcryrptKdfTlsPrfParameters{
		/* ... some fields ... */
	})
	if err != nil {
		return nil, err
	}

	// After the fix, the key handle is released using a defer statement:
	defer cng.BCryptDestroyKey(nk)
	/* ... remaining code ... */
}

Exploit details

Currently, there are no known public exploits taking advantage of this vulnerability. However, it is important to upgrade to the fixed versions as soon as possible to stay secure from potential attacks in the future.

Reference links

- CVE-2025-25199 vulnerability details
- GitHub commit containing the fix
- Go installation instructions

In conclusion, CVE-2025-25199 is a memory leak vulnerability present in the go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). It is critical to upgrade to the fixed versions to avoid potential denial of service attacks and further exploitation. The above code snippet, reference links, and exploit details should serve as a guide for understanding and addressing this vulnerability.

Timeline

Published on: 02/12/2025 18:15:27 UTC