Elliptic Curve Cryptography Vulnerability in RustCrypto's SM2 Encryption
CVE-2026-22698

8.7HIGH

Key Information:

Vendor

Rustcrypto

Vendor
CVE Published:
10 January 2026

What is CVE-2026-22698?

A vulnerability exists in RustCrypto's SM2 Public Key Encryption where the ephemeral nonce generation utilizes only 32 bits of entropy instead of the required 256 bits. This significant drop in randomness compromises the encryption strength from 128 bits to a mere 16 bits. Consequently, attackers can potentially recover the nonce and decrypt ciphertext utilizing only the public key and the encrypted data. This issue was addressed in subsequent updates, reinforcing the importance of secure key generation practices.

Affected Version(s)

elliptic-curves = 0.14.0-pre.0 = 0.14.0-pre.0

elliptic-curves = 0.14.0-rc.0 = 0.14.0-rc.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.