CVE-2026-22700 HIGH

CVE-2026-22700: RustCrypto Has Insufficient Length Validation in decrypt() in SM2-PKE

Vendor Rustcrypto

Product elliptic-curves

Weakness CWE-20 · Input validation

Published January 10, 2026

Last update January 12, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991.

Key dates

02Disclosure timeline

January 10, 2026 CVE published

January 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22700

Related vulnerabilities

Identifiers

CVE CVE-2026-22700

CWE CWE-20

CVSS 7.5 / HIGH

Affected versions

Vendor Rustcrypto

Product elliptic-curves

Affected = 0.14.0-pre.0

Vendor Rustcrypto

Product elliptic-curves

Affected = 0.14.0-rc.0

CVE-2026-22700: RustCrypto Has Insufficient Length Validation in decrypt() in SM2-PKE

01Description

02Disclosure timeline

03References

04Related CVE