216.73.216.215

CVE-2026-23965

· Published 22/01/2026 03:15 · Modified 22/01/2026 03:15

Labels: CVE-2026-23965 2026-01-22CVE-2026-23965CWE-347[email protected]

Essential information

Published
22/01/2026 03:15
Modified
22/01/2026 03:15
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS metrics

Description

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sm-crypto / sm-crypto cpe:2.3:a:sm-crypto:sm-crypto:<0.4.0:*:*:*:*:*:*:*

References