CVE-2026-23965
HIGH
GHSA-hpwg-xg7m-3p6m
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.
AnalysisAI
SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures for arbitrary public keys, potentially enabling message authentication bypass in applications using the library's default configuration. An attacker can also manipulate message prefixes to meet specific formatting constraints when sufficient redundancy exists in the message space. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 7 days: Identify all affected systems running the SM2 signature verification logic of sm-crypto and apply vendor patches promptly. Vendor patch is available.
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today