Skip to main content

Sm Crypto CVE-2026-23965

HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-01-22 security-advisories@github.com GHSA-hpwg-xg7m-3p6m
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 25, 2026 - 15:27 nvd
Patch available
CVE Published
Jan 22, 2026 - 03:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 49 npm packages depend on sm-crypto (34 direct, 16 indirect)

Ecosystem-wide dependent count for version 0.4.0.

DescriptionGitHub Advisory

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.

AnalysisAI

SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures for arbitrary public keys, potentially enabling message authentication bypass in applications using the library's default configuration. An attacker can also manipulate message prefixes to meet specific formatting constraints when sufficient redundancy exists in the message space. A patch is available in version 0.4.0 and later.

Technical ContextAI

This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects Sm-Crypto. sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements.

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Share

CVE-2026-23965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy