CVE-2026-22699
Unknown Unknown - Not Provided
Denial-of-Service in RustCrypto Elliptic Curves SM2 Decryption

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22699
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustcrypto elliptic_curves From 0.14.0-rc.0 (inc)
rustcrypto elliptic_curves From 0.14.0-pre.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial-of-service (DoS) issue in the RustCrypto elliptic-curves library's SM2 public key encryption (PKE) decryption implementation. It occurs when the code tries to decode an elliptic curve point (called C1) from ciphertext. The decoding function returns a special option type that can indicate failure if the point is invalid (i.e., the coordinates do not lie on the SM2 curve). However, the code previously used an unsafe unwrap operation on this result without checking validity, causing a panic if the point was invalid. This panic can crash the decrypting process, enabling an attacker to cause a denial-of-service by submitting malformed ciphertexts with invalid curve points. The issue was fixed by replacing the unwrap with proper error handling that returns an error instead of panicking. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service condition in any service using the affected RustCrypto elliptic-curves library for SM2 decryption. By submitting specially crafted ciphertexts containing invalid elliptic curve points, an attacker can trigger a panic in the decryption code, crashing the decrypting thread or process. This attack requires no privileges or user interaction and is easy to perform, potentially disrupting availability of your service. [3]

Detection Guidance

This vulnerability can be detected by testing the SM2 decryption functionality with malformed ciphertexts containing invalid elliptic curve points (C1) that are syntactically valid but do not lie on the SM2 curve. A proof-of-concept involves crafting ASN.1 DER-encoded ciphertexts with arbitrary X and Y coordinates (e.g., repeating 0x11 and 0x22 bytes) that cause the decryption function to panic due to the unwrap on an invalid point. Monitoring for crashes or panics in the decrypting process when processing such inputs indicates the presence of the vulnerability. Specific commands depend on your environment, but generally, you can run tests invoking the vulnerable decrypting APIs with crafted invalid ciphertexts and observe for panics or crashes. No direct network detection commands are provided in the resources. [3]

Mitigation Strategies

The immediate mitigation is to update the RustCrypto elliptic-curves library to a version that includes the patch fixing this vulnerability. The fix replaces the unsafe unwrap() call on the decoded elliptic curve point with proper error handling that converts the constant-time option into a standard option and returns an error instead of panicking. This prevents denial-of-service caused by invalid curve points during SM2 decryption. If updating is not immediately possible, consider implementing input validation to reject malformed ciphertexts or wrapping the decryption calls to catch panics and handle them gracefully. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart