Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
Published: 2026-01-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach (decryption of ciphertext)
Action: Patch Now
AI Analysis

Impact

The SM2 Public Key Encryption implementation in RustCrypto Elliptic Curves mistakenly generates a 32‑bit nonce instead of the required 256 bits due to a unit mismatch. This severe entropy reduction collapses the expected 128‑bit security to a trivial 16‑bit level, making it practical for an attacker to recover the nonce and decrypt any ciphertext that has been encrypted with a public key. The vulnerability is classified as CWE‑331, a random number weakness that undermines cryptographic security.

Affected Systems

Impact is limited to two pre‑release versions of the RustCrypto elliptic‑curves crate: 0.14.0‑pre.0 and 0.14.0‑rc.0. Systems that depend on these releases for SM2‑PKE functionality are affected, while later stabilized releases are presumed patched.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered high severity, yet an EPSS score of < 1 % suggests that the likelihood of exploitation is currently low. It is not listed in the CISA KEV catalog. Attackers would need only the ciphertext and the public key; they can brute‑force the 16‑bit nonce space to recover the secret key or decrypt the message. The exploit requires no special privilege or privileged access and can be performed remotely by an external actor who can capture or generate ciphertexts. Entities that send or receive SM2‑PKE encrypted data should therefore prioritize remediation.

Generated by OpenCVE AI on April 18, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RustCrypto elliptic‑curves crate to a fixed version that includes the e4f7778 patch, such as 0.14.0‑rc.1 or later.
  • If an immediate upgrade is impossible, manually apply the patch from commit e4f7778 to your local copy of the crate and rebuild the application.
  • After applying the patch, verify that the nonce generation routine uses a full 256‑bit random source by checking the source or running unit tests that confirm a reduced‑bias nonce can no longer be recovered.

Generated by OpenCVE AI on April 18, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w3g8-fp6j-wvqw SM2-PKE has 32-bit Biased Nonce Vulnerability
History

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Rustcrypto sm2 Elliptic Curve
CPEs cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:pre0:*:*:*:rust:*:*
cpe:2.3:a:rustcrypto:sm2_elliptic_curve:0.14.0:rc0:*:*:*:rust:*:*
Vendors & Products Rustcrypto sm2 Elliptic Curve
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustcrypto
Rustcrypto elliptic-curves
Vendors & Products Rustcrypto
Rustcrypto elliptic-curves

Sat, 10 Jan 2026 05:30:00 +0000

Type Values Removed Values Added
Description RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
Title RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability
Weaknesses CWE-331
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rustcrypto Elliptic-curves Sm2 Elliptic Curve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:48:30.706Z

Reserved: 2026-01-08T19:23:09.856Z

Link: CVE-2026-22698

cve-icon Vulnrichment

Updated: 2026-01-12T16:48:28.067Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T06:15:52.220

Modified: 2026-03-12T19:13:14.870

Link: CVE-2026-22698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses