sm-crypto – SM2 Cryptographic Implementation Failures
Product & Component Details (At a Glance)
| Field | Value |
|---|---|
| Product | sm-crypto |
| Cryptographic Standard | SM2 (Elliptic Curve Public Key Cryptography) |
| Affected Areas | Key generation, digital signing, signature verification |
| Usage Context | Authentication, digital signatures, PKI, secure communications |
| Impact Scope | Confidentiality, Integrity, Authentication |
| Risk Level | Critical |
Executive Summary
Three critical vulnerabilities have been identified in the SM2 implementation within sm-crypto.
Individually, each issue is severe. Collectively, they represent a total cryptographic trust failure.
These flaws allow attackers to:
- Recover private keys
- Forge digital signatures
- Bypass authentication
- Manipulate signed data without detection
Because SM2 is often used as a root trust mechanism, exploitation compromises every system, identity, and transaction that relies on it.
Vulnerability Overview
| CVE ID | Vulnerability | Impact |
|---|---|---|
| CVE-2026-23966 | Private Key Recovery | Complete cryptographic compromise |
| CVE-2026-23965 | Signature Forgery | Authentication bypass |
| CVE-2026-23967 | Signature Malleability | Integrity and replay bypass |
CVE-2026-23966 – SM2 Private Key Recovery
Severity Overview
| Metric | Value |
|---|---|
| CVSS Score | 9.8 |
| Severity | Critical |
| Attack Vector | Network |
| User Interaction | None |
| Exploitability | High |
| Privileges Required | None |
Technical Root Cause
SM2 requires a cryptographically secure random nonce (k) for each signature.
The vulnerability occurs when:
- The nonce is reused
- The nonce is predictable
- Entropy sources are weak or uninitialized
- Random generation is influenced by attacker-controlled inputs
Once nonce integrity fails, private key secrecy collapses mathematically.
This is not a brute-force attack — it is deterministic cryptographic recovery.
Exploitation Details
How an Attacker Exploits This
- Observe one or more SM2 signatures
- Identify nonce reuse or correlation
- Apply algebraic reconstruction techniques
- Recover the private key offline
- Forge signatures or decrypt data indefinitely
This attack is silent, offline, and does not trigger authentication failures.
Impact
- Total identity impersonation
- Forged certificates and signatures
- Decryption of protected data
- Long-term persistent compromise
- Historical trust invalidation
Once exploited, past and future cryptographic operations are untrustworthy.
MITRE ATT&CK Mapping
- T1552 – Unsecured Credentials
- T1606 – Forge Web Credentials
- T1556 – Modify Authentication Process
Detection & Monitoring
What Can Be Detected
You cannot directly detect private key extraction, but you can detect conditions that enable it.
Indicators
- Identical or repeating SM2 signature components
- Signing operations immediately after system start
- High signing volume under low entropy conditions
Log Sources
- Application signing logs
- Cryptographic provider debug logs
- Kernel entropy / RNG logs
- PKI audit logs
Example SIEM Detection Rule
IF
count(distinct(sm2_signature_r)) < count(sm2_signatures)
WITHIN 24h
THEN
alert "Potential SM2 nonce reuse – Private key compromise risk"
Incident Response Guidance
- Assume private keys are compromised
- Rotate all SM2 keys immediately
- Revoke certificates
- Re-establish trust chains
- Audit historical signed data
CVE-2026-23965 – SM2 Signature Forgery (Authentication Bypass)
Severity Overview
| Metric | Value |
|---|---|
| CVSS Score | 9.1 |
| Severity | Critical |
| Attack Vector | Network |
| Exploitability | High |
Technical Root Cause
The signature verification logic:
- Fails to strictly validate SM2 parameters
- Accepts malformed or edge-case values
- Skips mandatory elliptic curve checks
As a result, invalid signatures are accepted as valid.
Exploitation Details
Attack Flow
- Attacker crafts a malformed SM2 signature
- Signature bypasses validation checks
- System accepts it as authentic
- Attacker gains unauthorized access
No private key is required.
Impact
- Full authentication bypass
- Account impersonation
- Unauthorized API access
- Compromise of signed firmware or updates
MITRE ATT&CK Mapping
- T1078 – Valid Accounts
- T1556 – Modify Authentication Process
- T1606 – Forge Credentials
Detection & Monitoring
Indicators
- Authentication success with malformed signatures
- Verification success without corresponding key usage
- Anomalous authentication patterns
Log Sources
- Authentication service logs
- API gateway logs
- Signature verification audit logs
SIEM Detection Rule
IF
signature_verification = success
AND signature_validation_warnings = true
THEN
alert "SM2 signature validation bypass suspected"
Incident Response Guidance
- Treat authentication logs as unreliable
- Force re-authentication
- Invalidate sessions
- Apply strict verification updates immediately
CVE-2026-23967 – SM2 Signature Malleability
Severity Overview
| Metric | Value |
|---|---|
| CVSS Score | 7.5 |
| Severity | High |
| Exploitability | Medium |
Technical Root Cause
The implementation allows non-canonical signature representations, meaning:
- Multiple valid signatures exist for the same message
- Signature uniqueness is not enforced
Exploitation Details
Attack Flow
- Capture a valid signed message
- Modify the signature without breaking validity
- Replay or alter message flows
- Bypass integrity or replay controls
Impact
- Message replay attacks
- Integrity control bypass
- Audit trail manipulation
- Weak non-repudiation
MITRE ATT&CK Mapping
- T1565 – Data Manipulation
- T1071 – Application Layer Protocol Abuse
Detection & Monitoring
Indicators
- Same message hash with different signatures
- Replayed signed messages
- Signature format inconsistencies
Log Sources
- Transaction logs
- Message verification logs
- Audit systems
SIEM Detection Rule
IF
same(message_hash)
AND different(signature_value)
WITHIN short_timeframe
THEN
alert "SM2 signature malleability detected"
Remediation & Patch Guidance
Mandatory Actions
- Apply the official sm-crypto patch only
- Rotate all SM2 keys
- Revoke and reissue certificates
- Enforce secure entropy sources
- Enable strict signature validation
- Enforce canonical signature encoding
- Implement replay protection
Configuration-only mitigation is not sufficient.
Risk Assessment Summary
| Area | Risk |
|---|---|
| Confidentiality | Fully compromised |
| Integrity | Partially to fully compromised |
| Authentication | Fully compromised |
| Non-Repudiation | Broken |
Final Takeaway
These vulnerabilities represent a systemic cryptographic failure, not a simple bug.
Any environment using affected SM2 functionality must be treated as high risk until fully patched and re-trusted.
