RustCrypto SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt()
Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RustCrypto sm2 crate versions 0.14.0-pre.0 and 0.14.0-rc.0 panic on invalid curve points during SM2 PKE decryption, enabling denial-of-service via crafted ciphertexts.
Vulnerability
Overview
A denial-of-service vulnerability exists in the SM2 PKE decryption path of the RustCrypto sm2 crate (part of the elliptic-curves repository). Versions 0.14.0-pre.0 and 0.14.0-rc.0 are affected [1][2]. The bug resides in the internal decrypt() function within src/pke/decrypting.rs. When decoding the C1 elliptic-curve point from a ciphertext, the code calls AffinePoint::from_encoded_point(&encoded_c1), which returns a CtOption. If the provided coordinates are syntactically valid (correct SEC1 encoding and length) but do not actually lie on the SM2 curve, the function returns None. The calling code then invokes .unwrap() on this potentially None value, causing a panic [2][4].
Exploitation
Scenario
An attacker can exploit this by crafting a ciphertext (e.g., as ASN.1 DER) where the C1 field contains arbitrary 32-byte X and Y values that satisfy the encoding format but are not on the SM2 curve. Such input passes the initial EncodedPoint::from_bytes() validation, which only checks format, not mathematical validity. When decrypt_der() or decrypt() processes this crafted ciphertext, the unwrap() call triggers a panic, crashing the decryption operation [2]. No authentication is required beyond the ability to submit ciphertext to a vulnerable SM2 decryption endpoint.
Impact
Successful exploitation results in a panic (unexpected termination) of the decryption process, leading to a denial-of-service condition. The confidentiality of encrypted data is not directly compromised, but the service becomes unavailable [1][2].
Mitigation
The vulnerability has been patched in commit 085b7be [1][4]. The fix replaces the unwrap() with proper error propagation by converting the CtOption into a Result and returning an error, preventing the panic [4]. Users should update to a patched version (e.g., the commit or any subsequent release containing the fix). No workarounds are mentioned in the advisories.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sm2crates.io | >= 0.14.0-pre.0, <= 0.14.0-rc.4 | — |
Affected products
2- Range: >= 0.14.0-pre.0, <= 0.14.0-rc.0
- RustCrypto/elliptic-curvesv5Range: = 0.14.0-pre.0
Patches
1085b7bee6470sm2: fix SM2PKE decryption DoS vulnerability [SECURITY] (#1602)
1 file changed · +3 −1
sm2/src/pke/decrypting.rs+3 −1 modified@@ -167,7 +167,9 @@ fn decrypt( let encoded_c1 = EncodedPoint::from_bytes(c1).map_err(Error::from)?; // verify that point c1 satisfies the elliptic curve - let mut c1_point = AffinePoint::from_encoded_point(&encoded_c1).unwrap(); + let mut c1_point = AffinePoint::from_encoded_point(&encoded_c1) + .into_option() + .ok_or(Error)?; // B2: compute point 𝑆 = [ℎ]𝐶1 let s = c1_point * Scalar::reduce(&U256::from_u32(FieldElement::S));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-78p6-6878-8mj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22699ghsaADVISORY
- github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcabghsax_refsource_MISCWEB
- github.com/RustCrypto/elliptic-curves/pull/1602ghsax_refsource_MISCWEB
- github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.