CVE-2026-23967

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:juneandgreen:sm-crypto:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-22 03:15

Updated : 2026-02-25 15:31

NVD link : CVE-2026-23967

Mitre link : CVE-2026-23967

CVE.ORG link : CVE-2026-23967

JSON object : View

Products Affected

juneandgreen

sm-crypto

CWE

CWE-347

Improper Verification of Cryptographic Signature

7.5 /10