216.73.217.98

CVE-2026-22699

· Published 10/01/2026 06:15 · Modified 10/01/2026 06:15

Labels: CVE-2026-22699 2026-01-10CVE-2026-22699CWE-20[email protected]

Essential information

Published
10/01/2026 06:15
Modified
10/01/2026 06:15
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rustcrypto / elliptic curves cpe:2.3:a:rustcrypto:elliptic_curves:0.14.0-pre.0:*:*:*:*:*:*:*
rustcrypto / elliptic curves cpe:2.3:a:rustcrypto:elliptic_curves:0.14.0-rc.0:*:*:*:*:*:*:*

References