Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
AnalysisAI
Heap over-read in Botan C++ cryptography library versions 2.3.0 through 3.10.x allows remote, unauthenticated attackers to trigger crashes or undefined behavior during SM2 decryption. The vulnerability stems from insufficient length validation of authentication code (C3) values in SM2 ciphertexts, enabling reads of up to 31 bytes beyond allocated heap memory. With CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and EPSS data not provided, this represents a remotely exploitable memory safety issue in a cryptographic primitive. No public exploit identified at time of analysis. Patched in version 3.11.0.
Technical ContextAI
Botan is a widely-used open-source cryptography library for C++ applications, supporting modern algorithms including SM2, a Chinese national standard elliptic curve cryptography algorithm (ISO/IEC 14888-3). The vulnerability (CWE-125: Out-of-bounds Read) occurs in the SM2 decryption implementation's validation logic for the C3 authentication tag component of SM2 ciphertexts. The affected code failed to verify that the encoded C3 value length matched expectations before performing memory comparison operations. This missing boundary check allows specially crafted SM2 ciphertexts to trigger heap buffer over-reads of up to 31 bytes, potentially exposing adjacent heap memory contents or causing process crashes. The flaw exists in the cryptographic layer itself, not in TLS/protocol handling, meaning any application using Botan's SM2 decryption functionality with untrusted ciphertext inputs is potentially affected. The affected version range (2.3.0 to 3.10.x) spans approximately 7 years of releases, indicating broad deployment across systems using SM2 encryption.
RemediationAI
Vendor-released patch: Botan version 3.11.0 completely resolves the vulnerability through proper length validation of SM2 authentication codes prior to memory operations. Organizations should upgrade all Botan installations to version 3.11.0 or later immediately, prioritizing systems that process SM2 ciphertexts from untrusted sources. For environments unable to upgrade immediately, interim mitigations include restricting SM2 decryption operations to trusted ciphertext sources only, implementing strict input validation before passing data to Botan's SM2 functions, and deploying monitoring for abnormal process terminations that may indicate exploitation attempts. Organizations not using SM2 functionality may deprioritize updates but should plan upgrades during normal maintenance cycles to address this and potential future vulnerabilities. Review the GitHub Security Advisory at https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6 for additional vendor guidance and update instructions specific to your deployment model.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17210