CVE-2026-22698
Published: 10 January 2026
Summary
CVE-2026-22698 is a high-severity Insufficient Entropy (CWE-331) vulnerability in Rustcrypto Sm2 Elliptic Curve. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Approved key-establishment methods mandate sufficient entropy during key generation, eliminating entropy-starved keys.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly reduces effective nonce entropy from 256 to 32 bits, enabling practical nonce recovery and decryption of SM2 ciphertexts (matches Reduce Key Space).
NVD Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2…
more
Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
Deeper analysisAI
CVE-2026-22698 is a critical vulnerability in the SM2 Public Key Encryption (PKE) implementation within the RustCrypto elliptic-curves crate, which provides general-purpose Elliptic Curve Cryptography (ECC) support including types and traits for elliptic curve forms, scalars, points, and keys. The issue affects versions 0.14.0-pre.0 and 0.14.0-rc.0, where a unit mismatch error in the ephemeral nonce k generation function causes it to request only 32 bits of randomness instead of the expected 256 bits. This severely reduces entropy, dropping encryption security from 128-bit to a trivial 16-bit level and enabling practical attacks to recover the nonce.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Attackers can recover the nonce k from any SM2-encrypted ciphertext using only the corresponding public key, allowing full decryption of the plaintext. This impacts any applications or systems relying on the affected crate versions for SM2 PKE.
Mitigation is available via a patch in commit e4f7778, with related fixes in commits 4781762f23ff22ab34763410f648128055c93731 and e4f77788130d065d760e57fb109370827110a525, addressed through GitHub pull request #1600 in the RustCrypto/elliptic-curves repository. Users should update to a patched version beyond 0.14.0-rc.0, as indicated by the crates.io pages for the affected releases.
Details
- CWE(s)