Description
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized decryption via forged ciphertext
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the GMSM SM9 implementation arises because the decryption routine accepts an elliptic‑curve point at infinity for the ciphertext component C1. This omission lets an attacker construct a ciphertext whose bilinear pairing result collapses to the identity element in the target group, causing a portion of the key derivation input to become a predictable constant. Using only the victim’s UID, an attacker can therefore derive the decryption key and forge a ciphertext that passes the integrity check. This is a ciphertext forgery flaw (CWE‑347) that compromises data confidentiality, allowing an attacker to decrypt or produce valid messages for the victim.

Affected Systems

Affected products are the Go ShangMi cryptographic library (GMSM) from vendor emmansun. All releases prior to version 0.41.1 are vulnerable; version 0.41.1 and newer contain the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to craft a malicious ciphertext, so it typically targets applications that consume SM9 encrypted data. If an attacker can supply the forged ciphertext to the victim’s software or intercept and replace existing ciphertext, decryption will succeed with the derived key, exposing the confidential content.

Generated by OpenCVE AI on March 16, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GMSM library to version 0.41.1 or later.
  • Verify that the updated library is correctly integrated and remove any legacy code that may manipulate C1 points.

Generated by OpenCVE AI on March 16, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xxp-2vrj-x855 SM9 Infinity-Point Ciphertext Forgery Vulnerability
History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Emmansun
Emmansun gmsm
Vendors & Products Emmansun
Emmansun gmsm

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
Title Go ShangMi SM9 Infinity-Point Ciphertext Forgery Vulnerability
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Emmansun Gmsm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:12:09.389Z

Reserved: 2026-03-12T14:54:24.271Z

Link: CVE-2026-32614

cve-icon Vulnrichment

Updated: 2026-03-16T20:11:54.751Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:19:39.160

Modified: 2026-04-15T15:43:48.523

Link: CVE-2026-32614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:58Z

Weaknesses