CVE-2026-22700
Published: 10 January 2026
Summary
CVE-2026-22700 is a high-severity Improper Input Validation (CWE-20) vulnerability in Rustcrypto Sm2 Elliptic Curve. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DoS via remote exploitation of input validation flaw in SM2 decrypt causing process crash.
NVD Description
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2…
more
public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991.
Deeper analysisAI
CVE-2026-22700 is a denial-of-service vulnerability in the RustCrypto elliptic-curves library, which provides general-purpose elliptic curve cryptography support including types for scalars, points, and keys. The issue affects versions 0.14.0-pre.0 and 0.14.0-rc.0 specifically in the SM2 public-key encryption implementation, where the decrypt() function performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. This can trigger bounds-check panics during Rust unwinding, crashing the calling thread or process. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).
Any network-accessible attacker without privileges can exploit this vulnerability by submitting short or undersized ciphertext, or carefully crafted DER-encoded structures, to a vulnerable application performing SM2 decryption with the affected library. Successful exploitation leads to a crash of the calling thread or process, resulting in denial of service with high availability impact but no confidentiality or integrity effects.
The vulnerability has been patched in commit e60e99167a9a2b187ebe80c994c5204b0fdaf4ab, as detailed in the associated GitHub pull request #1603 and security advisory GHSA-j9xq-69pf-pcm8. Security practitioners should update to a patched version of the elliptic-curves crate beyond the affected pre-release versions to mitigate the issue.
Details
- CWE(s)