CVE-2026-32614

Name of the Vulnerable Software and Affected Versions Go ShangMi (Commercial Cryptography) Library (GMSM) versions prior to 0.41.1

Description The Go ShangMi (Commercial Cryptography) Library (GMSM) contains a cryptographic vulnerability in the SM9 decryption implementation. The issue stems from a failure to explicitly reject the point at infinity during decryption, allowing an attacker who knows the target user's UID to derive the decryption key material and forge a ciphertext that passes integrity checks. This vulnerability affects the sm9.Decrypt, sm9.DecryptASN1, and sm9.UnwrapKey functions. The root cause is that the implementation only verifies if the elliptic-curve point C1 in the ciphertext is on the curve, but does not explicitly check if it is the point at infinity. An attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate, leading to a predictable constant in the key derivation input. This allows the attacker to forge a ciphertext that decrypts to attacker-chosen plaintext. The vulnerability is not related to confidentiality loss, but to the integrity and authenticity of decrypted data.

Recommendations Upgrade to version 0.41.1 or later to resolve this vulnerability. In the UnwrapKey path used by SM9 decryption and decapsulation, add an explicit rejection of the point at infinity after Unmarshal and IsOnCurve succeed. Ensure unit tests are added to verify that an all-zero C1 is rejected, and that the raw and ASN.1 ciphertext paths reject the forged input.