CVE-2026-22698
Published: 10 January 2026
Summary
CVE-2026-22698 is a high-severity Insufficient Entropy (CWE-331) vulnerability in Rustcrypto Sm2 Elliptic Curve. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22698 is a critical vulnerability in the SM2 Public Key Encryption (PKE) implementation within the RustCrypto elliptic-curves crate, which provides general-purpose Elliptic Curve Cryptography (ECC) support including types and traits for elliptic curve forms, scalars, points, and keys. The issue affects versions 0.14.0-pre.0 and 0.14.0-rc.0, where a unit mismatch error in the ephemeral nonce k generation function causes it to request only 32 bits of randomness instead of the expected 256 bits. This severely reduces entropy, dropping encryption security from 128-bit to a trivial 16-bit level and enabling practical attacks to recover the nonce.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Attackers can recover the nonce k from any SM2-encrypted ciphertext using only the corresponding public key, allowing full decryption of the plaintext. This impacts any applications or systems relying on the affected crate versions for SM2 PKE.
Mitigation is available via a patch in commit e4f7778, with related fixes in commits 4781762f23ff22ab34763410f648128055c93731 and e4f77788130d065d760e57fb109370827110a525, addressed through GitHub pull request #1600 in the RustCrypto/elliptic-curves repository. Users should update to a patched version beyond 0.14.0-rc.0, as indicated by the crates.io pages for the affected releases.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1876
Vulnerability details
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2…
more
Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly reduces effective nonce entropy from 256 to 32 bits, enabling practical nonce recovery and decryption of SM2 ciphertexts (matches Reduce Key Space).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of identified flaws, such as patching the low-entropy nonce generation in the RustCrypto elliptic-curves crate's SM2 PKE implementation.
Mandates vulnerability scanning to identify deployments using affected versions 0.14.0-pre.0 or 0.14.0-rc.0 of the RustCrypto crate vulnerable to nonce recovery attacks.
Establishes proper cryptographic key and nonce management processes, mitigating risks from insufficient entropy in ephemeral nonce k generation during SM2 encryption.