Vulnerability Summary (at-a-glance)
| Field | CVE-2026-22700 | CVE-2026-22699 | CVE-2026-22698 |
|---|---|---|---|
| CVSS v3.1 Score | 7.5 (High) | 7.5 (High) | 8.1 (High) |
| Severity | High | High | High |
| Vulnerability Type | Panic-based denial of service | Invalid elliptic-curve point handling | Cryptographic weakness (nonce entropy collapse) |
| Affected Component | SM2 PKE decryption logic | SM2 unwrap / EC point parsing | SM2 encryption nonce generation |
| Affected Versions | RustCrypto SM2 prior to fix | RustCrypto SM2 prior to fix | RustCrypto SM2 prior to fix |
| Fixed Version | Official patched RustCrypto release | Official patched RustCrypto release | Official patched RustCrypto release |
| Attack Vector | Remote, network-supplied ciphertext | Remote, crafted SM2 ciphertext | Passive or active cryptographic analysis |
| Privileges Required | None | None | None |
| User Interaction | None | None | None |
| Primary Impact | Service crash / denial of service | Service crash / denial of service | Ciphertext decryption, data exposure |
| Exploit Practicality | High | High | Moderate to High |
| Patch Available | Yes (official) | Yes (official) | Yes (official) |
CVE-2026-22700 – RustCrypto SM2 PKE panic leading to denial of service
What is actually happening
In this case, the SM2 decryption code assumes that certain internal conditions will “never happen.” When malformed or edge-case ciphertext violates those assumptions, the library responds by triggering a panic, not a normal error. In Rust, a panic is not just a failed function call—it is often a full stop for the running process.
In development, this is useful for catching programmer mistakes. In production cryptographic services, it is dangerous.
How this would be exploited in practice
Any system that decrypts SM2 data from outside sources is exposed. That includes:
- APIs that accept encrypted payloads
- Message queues or brokers carrying encrypted messages
- Network protocols that rely on SM2 for confidentiality
An attacker does not need to understand SM2 deeply. By sending deliberately malformed ciphertext—wrong field sizes, missing components, or unexpected values—they can reliably crash the service. Once they find a crashing input, it can be replayed endlessly to keep the service offline.
This is the kind of issue attackers love because it is:
- Remote
- Unauthenticated
- Repeatable
- Cheap to execute
MITRE ATT&CK mapping
- Impact – Endpoint Denial of Service (T1499)
How defenders usually notice it
This rarely shows up as a clean “security alert.” Instead, teams see:
- Pods restarting over and over
- Services flapping without obvious CPU or memory pressure
- Logs ending abruptly with panic stack traces
Detection signals and payload traits
Typical indicators
- Panic messages referencing SM2, PKE, or unwrap logic
- Crashes immediately following inbound encrypted requests
Payload characteristics
- Ciphertext blobs that are shorter than expected
- Incorrect or inconsistent internal SM2 fields
Detection rules and log sources
- Alert on multiple service restarts in a short time window
- Flag panic-related keywords in application logs
Log sources
- Application stdout/stderr
- Service manager logs (systemd, supervisor)
- Container orchestration events
Fix
Apply the official RustCrypto patch that replaces panic paths with safe error handling and rejects malformed input cleanly.
CVE-2026-22699 – RustCrypto SM2 invalid EC point unwrap panic
What is actually happening
SM2 ciphertexts include elliptic-curve points that must lie on a specific curve and follow strict mathematical rules. In vulnerable versions, the unwrap logic trusts these points too early. Invalid points slip through initial parsing and only cause problems once low-level math operations begin.
At that point, the library panics.
This is a well-known cryptographic failure pattern: assuming curve validity instead of enforcing it.
How this would be exploited in practice
An attacker crafts SM2 ciphertext that looks normal on the surface but contains elliptic-curve points that:
- Do not lie on the curve
- Use invalid coordinates
- Break internal arithmetic assumptions
When the service attempts to unwrap the ciphertext, it crashes. Like CVE-2026-22700, this attack is remote, requires no authentication, and can be repeated indefinitely.
MITRE ATT&CK mapping
- Impact – Endpoint Denial of Service (T1499)
How defenders usually notice it
- Crashes only occur during decryption, not encryption
- Failures cluster around unwrap or EC parsing code paths
- Restart loops triggered by specific external inputs
Detection signals and payload traits
Indicators
- Panic traces mentioning elliptic-curve operations
- Repeated decrypt failures immediately before crashes
Payload characteristics
- EC point values outside valid numeric ranges
- Non-canonical or malformed point encodings
Detection rules and log sources
- Alert on unwrap failures followed by abnormal termination
- Correlate EC parsing errors with crashes
Log sources
- Cryptographic error logs
- Runtime panic backtraces
- Container or VM crash logs
Fix
Upgrade to the official RustCrypto release that enforces strict elliptic-curve point validation before any cryptographic arithmetic.
CVE-2026-22698 – RustCrypto SM2 nonce entropy collapse enabling ciphertext decryption
What is actually happening
SM2 encryption relies on a fresh, unpredictable nonce for every encryption operation. In affected implementations, nonce generation can degrade due to poor entropy handling or flawed randomness usage. When that happens, nonces may repeat or become predictable.
This does not crash systems. Instead, it quietly breaks encryption.
How this would be exploited in practice
An attacker who can observe multiple ciphertexts—through logs, backups, network traffic, or compromised storage—can look for repeated or correlated encryption values. With enough samples, they can:
- Recover plaintext
- Infer relationships between encrypted messages
- Gradually undermine the secrecy of protected data
This attack is subtle. Systems keep running, and no errors appear.
MITRE ATT&CK mapping
- Credential Access – Cryptographic Key Compromise (T1552)
- Collection – Data from Cryptographic Weaknesses
How defenders usually notice it
Often they don’t—until data is already exposed. When detected, it is usually through:
- Cryptographic reviews
- Incident response investigations
- Detection of repeated ciphertext patterns
Detection signals and payload traits
Indicators
- Identical or highly similar ciphertext components across different messages
Payload characteristics
- Reused ephemeral values in SM2 output
- Patterns where randomness should exist
Detection rules and log sources
- Alert on duplicate ciphertext components within defined time windows
- Monitor entropy warnings in runtime environments
Log sources
- Encryption audit logs
- Application telemetry
- Secure logging pipelines capturing cryptographic metadata
Fix
Apply the official RustCrypto patch that corrects nonce generation and ensure the runtime environment provides strong entropy, especially in containers and virtualized systems.
Final /takeaway
Taken together, these issues show two classic failure modes: crash-on-bad-input and silent cryptographic weakness. The former hurts availability immediately; the latter quietly erodes trust over time. Both demand prompt patching, careful monitoring, and a healthy skepticism of cryptographic inputs received from the outside world.
