CVE-2026-23967
Unknown Unknown - Not Provided
SM2 Signature Malleability in sm-crypto Allows Signature Forgery

Publication date: 2026-01-22

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23967
EUVD
EUVD-2026-3675
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
juneandgreen sm-crypto to 0.3.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a signature malleability flaw in the SM2 digital signature algorithm implementation within the sm-crypto JavaScript library versions prior to 0.3.14. It allows an attacker to create a new valid signature for a previously signed message by manipulating an existing signature without needing any privileges or user interaction. The issue lies in the SM2 signature verification logic, which improperly verifies cryptographic signatures. [1]

Impact Analysis

The vulnerability can impact you by compromising data integrity. An attacker can forge a new valid signature for a message that was already signed, potentially allowing unauthorized actions or acceptance of tampered data as legitimate. However, it does not affect confidentiality or availability. [1]

Detection Guidance

Detection involves identifying if your system or network is using a vulnerable version of the sm-crypto library (prior to 0.3.14). You can check the version of sm-crypto in your project dependencies. For example, if using npm, run: `npm list sm-crypto` to see the installed version. Additionally, review your codebase for usage of sm-crypto's SM2 signature verification functions. There are no specific network detection commands provided for this vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the sm-crypto library to version 0.3.14 or later, where the signature malleability vulnerability in the SM2 signature verification logic has been patched. Avoid using vulnerable versions prior to 0.3.14 to prevent exploitation. [1]

Compliance Impact

This vulnerability compromises data integrity by allowing an attacker to generate a valid signature for a previously signed message, which could lead to improper verification of cryptographic signatures. Such a compromise in data integrity may negatively impact compliance with standards and regulations like GDPR and HIPAA that require ensuring data integrity and authenticity. However, the provided resources do not explicitly discuss compliance implications. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart