CVE-2026-22700
Unknown Unknown - Not Provided
Denial-of-Service in RustCrypto SM2 PKE via Unchecked Buffer Access

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22700
EUVD
EUVD-2026-1874
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
rustcrypto elliptic_curves 0.14.0-rc.0
rustcrypto elliptic_curves 0.14.0-pre.0
rust sm2 0.14.0-rc.0
rust sm2 0.14.0-pre.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22700 is a denial-of-service (DoS) vulnerability in the SM2 public-key encryption implementation of the RustCrypto elliptic-curves library. The vulnerability occurs because the decrypt() function performs unchecked slice splitting operations on input ciphertext buffers without verifying their length. If an attacker submits a short or malformed ciphertext, these unchecked operations cause Rust panics, which crash the thread or process handling the decryption. This can be exploited remotely without privileges or user interaction by sending crafted ciphertexts that trigger these panics. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service condition in your application that uses the vulnerable RustCrypto elliptic-curves library for SM2 decryption. By sending short or malformed ciphertexts, an attacker can crash the thread or process performing decryption, potentially disrupting service availability. The attack is easy to execute remotely, requires no privileges or user interaction, and can affect any application exposing decryption endpoints using this library. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in applications using the RustCrypto elliptic-curves library's SM2PKE decryption function when processing ciphertext inputs. Specifically, look for panic logs or thread crashes triggered by malformed or short ciphertexts. Since the vulnerability is triggered by malformed ciphertexts causing panics in the decrypt() function, you can test detection by submitting deliberately short or malformed ciphertext inputs to the decryption endpoint or function and observing if the process crashes or panics. There are proof-of-concept examples that submit short ciphertexts (e.g., 10 bytes) or malformed DER-encoded ciphertexts to trigger the panic. Commands would depend on your environment, but generally, fuzz testing or sending crafted ciphertexts to the decryption service and monitoring logs for panics or crashes is recommended. Specific commands are not provided in the resources. [3]

Mitigation Strategies

Immediate mitigation steps include updating the RustCrypto elliptic-curves library to a version that includes the patch fixing this vulnerability (merged on January 9, 2026). The fix replaces unsafe `split_at` calls with `split_at_checked` and adds explicit length checks before splitting ciphertext slices to prevent panics. If updating is not immediately possible, implement defensive length validation before processing ciphertext inputs in the decrypt() function to ensure inputs are sufficiently long, returning controlled errors instead of panics. Additionally, monitor and filter incoming ciphertext inputs to block obviously malformed or undersized ciphertexts to reduce risk of denial-of-service. Applying the patch commit e60e991 or later versions that include this fix is the recommended action. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart