Denial-of-Service Vulnerability in RustCrypto Elliptic Curves
CVE-2026-22700
7.5HIGH
What is CVE-2026-22700?
A denial-of-service vulnerability exists in the SM2 public-key encryption implementation within RustCrypto's Elliptic Curves library. Specifically, versions 0.14.0-pre.0 and 0.14.0-rc.0 are at risk due to unchecked operations during the decryption process. An attacker can exploit this by sending inadequately sized ciphertext or crafted DER-encoded structures, potentially triggering bounds-check panics which may crash the calling thread or process. The issue has been addressed in later patches.
Affected Version(s)
elliptic-curves = 0.14.0-pre.0 = 0.14.0-pre.0
elliptic-curves = 0.14.0-rc.0 = 0.14.0-rc.0
