{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22698", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-08T19:23:09.856Z", "datePublished": "2026-01-10T05:17:19.993Z", "dateUpdated": "2026-01-12T16:48:30.706Z"}, "containers": {"cna": {"title": "RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "lang": "en", "description": "CWE-331: Insufficient Entropy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw"}, {"name": "https://github.com/RustCrypto/elliptic-curves/pull/1600", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/elliptic-curves/pull/1600"}, {"name": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731"}, {"name": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525", "tags": ["x_refsource_MISC"], "url": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525"}, {"name": "https://crates.io/crates/sm2/0.14.0-pre.0", "tags": ["x_refsource_MISC"], "url": "https://crates.io/crates/sm2/0.14.0-pre.0"}, {"name": "https://crates.io/crates/sm2/0.14.0-rc.0", "tags": ["x_refsource_MISC"], "url": "https://crates.io/crates/sm2/0.14.0-rc.0"}], "affected": [{"vendor": "RustCrypto", "product": "elliptic-curves", "versions": [{"version": "= 0.14.0-pre.0", "status": "affected"}, {"version": "= 0.14.0-rc.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T05:17:19.993Z"}, "descriptions": [{"lang": "en", "value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778."}], "source": {"advisory": "GHSA-w3g8-fp6j-wvqw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T16:47:49.756087Z", "id": "CVE-2026-22698", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T16:48:30.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22698", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T16:47:49.756087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T16:48:28.067Z"}}], "cna": {"title": "RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability", "source": {"advisory": "GHSA-w3g8-fp6j-wvqw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "RustCrypto", "product": "elliptic-curves", "versions": [{"status": "affected", "version": "= 0.14.0-pre.0"}, {"status": "affected", "version": "= 0.14.0-rc.0"}]}], "references": [{"url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw", "name": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/RustCrypto/elliptic-curves/pull/1600", "name": "https://github.com/RustCrypto/elliptic-curves/pull/1600", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731", "name": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525", "name": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525", "tags": ["x_refsource_MISC"]}, {"url": "https://crates.io/crates/sm2/0.14.0-pre.0", "name": "https://crates.io/crates/sm2/0.14.0-pre.0", "tags": ["x_refsource_MISC"]}, {"url": "https://crates.io/crates/sm2/0.14.0-rc.0", "name": "https://crates.io/crates/sm2/0.14.0-rc.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-331", "description": "CWE-331: Insufficient Entropy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T05:17:19.993Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22698", "state": "PUBLISHED", "dateUpdated": "2026-01-12T16:48:30.706Z", "dateReserved": "2026-01-08T19:23:09.856Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T05:17:19.993Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:pre0:*:*:*:rust:*:*", "matchCriteriaId": "5F5BCFE9-1585-4A90-857F-7F9E1B9C9ADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:rc0:*:*:*:rust:*:*", "matchCriteriaId": "B584C50F-8ED4-45F4-8799-7CCFE8D4DF66", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778."}], "id": "CVE-2026-22698", "lastModified": "2026-03-12T19:13:14.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T06:15:52.220", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://crates.io/crates/sm2/0.14.0-pre.0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://crates.io/crates/sm2/0.14.0-rc.0"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/RustCrypto/elliptic-curves/pull/1600"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:11:59.300780+00:00", "value": {"mitigation_remediation": ["Upgrade the RustCrypto elliptic\u2011curves crate to a fixed version that includes the e4f7778 patch, such as 0.14.0\u2011rc.1 or later.", "If an immediate upgrade is impossible, manually apply the patch from commit e4f7778 to your local copy of the crate and rebuild the application.", "After applying the patch, verify that the nonce generation routine uses a full 256\u2011bit random source by checking the source or running unit tests that confirm a reduced\u2011bias nonce can no longer be recovered."], "summary": {"action": "Patch Now", "impact": "Confidentiality Breach (decryption of ciphertext)"}, "threat_synthesis": {"affected_systems": "Impact is limited to two pre\u2011release versions of the RustCrypto elliptic\u2011curves crate: 0.14.0\u2011pre.0 and 0.14.0\u2011rc.0. Systems that depend on these releases for SM2\u2011PKE functionality are affected, while later stabilized releases are presumed patched.", "description_and_impact": "The SM2 Public Key Encryption implementation in RustCrypto Elliptic Curves mistakenly generates a 32\u2011bit nonce instead of the required 256 bits due to a unit mismatch. This severe entropy reduction collapses the expected 128\u2011bit security to a trivial 16\u2011bit level, making it practical for an attacker to recover the nonce and decrypt any ciphertext that has been encrypted with a public key. The vulnerability is classified as CWE\u2011331, a random number weakness that undermines cryptographic security.", "risk_and_exploitability": "With a CVSS score of 8.7 the vulnerability is considered high severity, yet an EPSS score of\u202f<\u202f1\u202f% suggests that the likelihood of exploitation is currently low. It is not listed in the CISA KEV catalog. Attackers would need only the ciphertext and the public key; they can brute\u2011force the 16\u2011bit nonce space to recover the secret key or decrypt the message. The exploit requires no special privilege or privileged access and can be performed remotely by an external actor who can capture or generate ciphertexts. Entities that send or receive SM2\u2011PKE encrypted data should therefore prioritize remediation."}}}}, "created": "2026-01-12T14:36:56.305997+00:00", "updated": "2026-04-18T07:15:25.857949+00:00", "vendors": ["rustcrypto", "rustcrypto$PRODUCT$elliptic-curves"]}