Sm Crypto
CVE-2026-23966
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 501 npm packages depend on sm-crypto (315 direct, 192 indirect)
Ecosystem-wide dependent count for version 0.3.14.
DescriptionGitHub Advisory
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue.
AnalysisAI
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.
Technical ContextAI
The sm-crypto library has a CWE-345 insufficient verification vulnerability in its SM2 (Chinese national cryptographic standard) implementation that allows attackers to recover private keys from observed signatures.
RemediationAI
Update sm-crypto immediately. Rotate all SM2 key pairs generated or used with affected versions. Re-sign critical data.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pgx9-497m-6c4v