Cyber Resilience

CVE-2025-25199

High

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0103 77.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25199 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-25199 is a memory leak vulnerability in the go-crypto-winnative package, the Go cryptography backend for Windows that uses the Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, repeated calls to cng.TLS1PRF fail to release the key handle, resulting in a small memory leak on each invocation. The issue is tracked under CWE-401 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact.

An unauthenticated remote attacker can trigger the flaw by sending crafted TLS traffic that exercises the TLS1PRF function, gradually exhausting memory on affected Windows systems and leading to denial of service. No privileges or user interaction are required, and the attack can be mounted over the network with low complexity.

The GitHub Security Advisory GHSA-29c6-3hcj-89cf and the referenced commit describe the fix, which is shipped in Microsoft Go builds 1.23.6-2 and 1.22.12-2 as well as pseudoversion 0.0.0-20250211154640-f49c8e1379ea of github.com/microsoft/go-crypto-winnative. Organizations should update to these releases to eliminate the leak.

EPSS for the CVE rose from a low baseline to a peak of 0.0870 on 2026-02-18 before receding to the current value of 0.0103, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The…

more

fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The memory leak in TLS1PRF allows remote unauthenticated attackers to trigger repeated invocations via TLS handshakes, causing gradual memory exhaustion and denial of service on the endpoint, directly mapping to application/system exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25796Shared CWE-401
CVE-2026-23095Shared CWE-401
CVE-2026-20012Shared CWE-401
CVE-2026-3650Shared CWE-401
CVE-2026-20014Shared CWE-401
CVE-2025-29910Shared CWE-401
CVE-2026-43506Shared CWE-401
CVE-2026-7379Shared CWE-401
CVE-2026-20105Shared CWE-401
CVE-2026-23453Shared CWE-401

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of software flaws like the memory leak in go-crypto-winnative by applying the fixing commit or updated package versions.

prevent

Vulnerability scanning identifies deployments using vulnerable versions of the go-crypto-winnative package prior to exploitation.

prevent

Denial-of-service protections limit the effects of repeated TLS1PRF invocations causing memory exhaustion on affected Windows systems.

References