Elliptic Curve Cryptography Vulnerability in RustCrypto's SM2 Encryption
CVE-2026-22698
8.7HIGH
What is CVE-2026-22698?
A vulnerability exists in RustCrypto's SM2 Public Key Encryption where the ephemeral nonce generation utilizes only 32 bits of entropy instead of the required 256 bits. This significant drop in randomness compromises the encryption strength from 128 bits to a mere 16 bits. Consequently, attackers can potentially recover the nonce and decrypt ciphertext utilizing only the public key and the encrypted data. This issue was addressed in subsequent updates, reinforcing the importance of secure key generation practices.
Affected Version(s)
elliptic-curves = 0.14.0-pre.0 = 0.14.0-pre.0
elliptic-curves = 0.14.0-rc.0 = 0.14.0-rc.0
