Microsoft Go Crypto Backend for Windows Memory Leak Vulnerability

A memory leak vulnerability has been identified in the Microsoft Go crypto backend for Windows, specifically in versions through 1.23.6-1 and 1.22.12-1. The issue arises because calls to 'cng.TLS1PRF' do not properly release the key handle, leading to a small but cumulative memory leak. This vulnerability has been patched in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of Go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the 'github.com/microsoft/go-crypto-winnative' Go package.

Impact

Exploitation of this vulnerability causes a memory leak, where the key handle is not released after use, leading to increased memory consumption over time.

Remediation

Users can upgrade to version 1.23.6-2 or 1.22.12-2 of the Microsoft build of Go. For those using the 'github.com/microsoft/go-crypto-winnative' Go package, the vulnerability can be addressed by updating to the pseudoversion 0.0.0-20250211154640-f49c8e1379ea.