CVE-2025-25199
BCryptGenerateSymmetricKey memory leak
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-02-03 CVE Reserved
- 2025-02-12 CVE Published
- 2025-02-12 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 | X_refsource_misc | |
| https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Go-crypto-winnative Search vendor "Microsoft" for product "Go-crypto-winnative" | < 1.23.6 Search vendor "Microsoft" for product "Go-crypto-winnative" and version " < 1.23.6" | en |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Go-crypto-winnative Search vendor "Microsoft" for product "Go-crypto-winnative" | < 1.22.12 Search vendor "Microsoft" for product "Go-crypto-winnative" and version " < 1.22.12" | en |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Go-crypto-winnative Search vendor "Microsoft" for product "Go-crypto-winnative" | < 0.0.0 Search vendor "Microsoft" for product "Go-crypto-winnative" and version " < 0.0.0" | en |
Affected
| ||||||