CVE-2026-23966

Invalid Curve, Infinite Problems: Breaking SM2 in sm-crypto

Alon Barad
Alon Barad
Software Engineer

Jan 22, 2026·7 min read·9 visits

Executive Summary (TL;DR)

The `sm-crypto` library (versions < 0.3.14) forgot to verify if incoming public key points actually belong to the SM2 curve. This allows attackers to send 'invalid' points that force the server to perform calculations on weak curves, leaking the private key in just a few hundred requests. If you use this for SM2 decryption, your keys are gone.

A critical cryptographic implementation flaw in the widely used `sm-crypto` library allows remote attackers to recover private keys via an Invalid Curve Attack. By failing to validate that ephemeral public keys lie on the correct elliptic curve during decryption, the library leaks private key bits through mathematical side channels.

Official Patches

JuneAndGreenCommit fixing the validation logic
GitHub AdvisoryGHSA Advisory for sm-crypto

Fix Analysis (1)

Technical Appendix

CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Systems

Node.js applications using sm-cryptoChinese financial reporting systemsRegulatory compliance gateways using SM2Custom JS-based crypto implementations

Affected Versions Detail

Product
Affected Versions
Fixed Version
sm-crypto
JuneAndGreen
< 0.3.140.3.14
AttributeDetail
CWE IDCWE-345
Attack VectorNetwork
CVSS v3.19.1 (Critical)
Bug ClassInvalid Curve Attack
Exploit StatusProof of Concept Available
LanguageJavaScript

MITRE ATT&CK Mapping

T1659Content Injection
Impact
T1552Unsecured Credentials
Credential Access
CWE-345
Insufficient Verification of Data Authenticity

Insufficient Verification of Data Authenticity

Known Exploits & Detection

AcademicPractical Invalid Curve Attacks on TLS-ECDH

Vulnerability Timeline

Patch committed to repository
2026-01-20
Vulnerability Published (GHSA/CVE)
2026-01-22

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.