CVE-2026-22698
Unknown Unknown - Not Provided
Reduced Entropy Nonce in RustCrypto SM2 PKE Enables Decryption

Publication date: 2026-01-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-01-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22698
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustcrypto sm2_elliptic_curve 0.14.0
rustcrypto sm2_elliptic_curve 0.14.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SM2 Public Key Encryption implementation of the RustCrypto elliptic-curves library. Due to a unit mismatch error, the ephemeral nonce 'k' used during encryption is generated with only 32 bits of randomness instead of the intended 256 bits. This happens because the function generating 'k' mistakenly treats a byte length parameter as a bit length, resulting in a severely biased nonce mostly consisting of zeros. This drastically reduces the security level from 128-bit to about 16-bit, making it trivial for an attacker to recover the nonce 'k' and decrypt any ciphertext using only the public key and ciphertext. The flaw allows practical attacks to recover plaintext and potentially the private key. The issue was fixed by replacing the flawed nonce generation with a secure, unbiased method using rejection sampling to generate a proper non-zero scalar 'k'. [1, 3, 4]


How can this vulnerability impact me? :

This vulnerability can lead to a complete loss of confidentiality for any data encrypted using the affected SM2 public key encryption implementation. Because the ephemeral nonce 'k' has drastically reduced entropy, an attacker can efficiently recover 'k' using only the public key and ciphertext. With the recovered nonce, the attacker can decrypt the ciphertext without needing the private key. This compromises the security of encrypted communications, exposing sensitive information to unauthorized parties. The attack is computationally feasible on modern hardware and can be executed within seconds. [1, 4]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying ciphertexts encrypted using the vulnerable SM2PKE implementation that generates ephemeral nonce k with only 32 bits of entropy instead of 256 bits. A practical detection method involves attempting to recover the nonce k from captured ciphertexts using the Baby-Step Giant-Step (BSGS) algorithm over the reduced 2^32 search space. The repository provides a proof-of-concept (PoC) example in `examples/bsgs_recover.rs` demonstrating this attack workflow. To detect the vulnerability on your system, you can run this PoC code against ciphertexts suspected to be generated by the vulnerable versions (0.14.0-pre.0 and 0.14.0-rc.0) of the RustCrypto SM2 library. There are no simple shell commands provided, but running the PoC Rust example is the recommended approach to confirm exploitation of the vulnerability. [4]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes a complete loss of confidentiality for all data encrypted with the affected SM2 Public Key Encryption implementation due to severely reduced nonce entropy allowing trivial recovery of plaintext. Such a loss of confidentiality can lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require adequate protection of sensitive data. Therefore, organizations using the vulnerable SM2 implementation risk violating these regulations because encrypted data can be decrypted by attackers without authorization. [4]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the RustCrypto elliptic-curves library to a version that includes the patch fixing the nonce generation flaw. The patch replaces the flawed `next_k` function with a secure `Generate` trait implementation using `NonZeroScalar::try_generate_from_rng`, ensuring proper 256-bit entropy for the ephemeral nonce k. If upgrading is not immediately possible, avoid using the vulnerable versions (0.14.0-pre.0 and 0.14.0-rc.0) of the SM2 crate for encryption. Additionally, consider re-encrypting any sensitive data encrypted with the vulnerable versions after applying the fix. Monitoring for suspicious decryption attempts using the BSGS attack method is also advised. [1, 3, 4]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart