CVE-2026-23965

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions sm-crypto versions prior to 0.4.0

Description sm-crypto provides JavaScript implementations of Chinese cryptographic algorithms SM2, SM3, and SM4. A flaw exists in the SM2 signature verification logic that allows an attacker to forge valid signatures for arbitrary public keys under default configurations. If the message space has sufficient redundancy, the attacker can adjust the message prefix to meet specific formatting needs.

Recommendations Update to version 0.4.0 or later.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2026-23965

GHSA-HPWG-XG7M-3P6M

Affected Products

Sm-Crypto

CVE-2026-23965

Weakness Enumeration

Related Identifiers

Affected Products

References · 13