Unknown · Go Shangmi (Commercial Cryptography) Library · CVE-2026-32614
**Name of the Vulnerable Software and Affected Versions**
Go ShangMi (Commercial Cryptography) Library (GMSM) versions prior to 0.41.1
**Description**
The Go ShangMi (Commercial Cryptography) Library (GMSM) contains a cryptographic vulnerability in the SM9 decryption implementation. The issue stems from a failure to explicitly reject the point at infinity during decryption, allowing an attacker who knows the target user's UID to derive the decryption key material and forge a ciphertext that passes integrity checks. This vulnerability affects the `sm9.Decrypt`, `sm9.DecryptASN1`, and `sm9.UnwrapKey` functions. The root cause is that the implementation only verifies if the elliptic-curve point C1 in the ciphertext is on the curve, but does not explicitly check if it is the point at infinity. An attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate, leading to a predictable constant in the key derivation input. This allows the attacker to forge a ciphertext that decrypts to attacker-chosen plaintext. The vulnerability is not related to confidentiality loss, but to the integrity and authenticity of decrypted data.
**Recommendations**
Upgrade to version 0.41.1 or later to resolve this vulnerability. In the `UnwrapKey` path used by SM9 decryption and decapsulation, add an explicit rejection of the point at infinity after `Unmarshal` and `IsOnCurve` succeed. Ensure unit tests are added to verify that an all-zero C1 is rejected, and that the raw and ASN.1 ciphertext paths reject the forged input.