CVE-2026-22699 Overview
A denial-of-service vulnerability has been identified in the RustCrypto Elliptic Curves library affecting the SM2 Public Key Encryption (PKE) decryption path. The vulnerability exists due to improper input validation when processing elliptic curve points during decryption operations. When an invalid elliptic-curve point (C1) is decoded, the resulting value is unwrapped without proper validation, causing a panic condition that can be exploited to crash applications using the affected library.
Specifically, the AffinePoint::from_encoded_point(&encoded_c1) function may return a None or CtOption::None when supplied coordinates are syntactically valid but do not actually lie on the SM2 curve. The vulnerable code path used .unwrap() on this potentially null result, causing the application to panic when presented with malformed input.
Critical Impact
Remote attackers can send specially crafted cryptographic data containing invalid SM2 curve points to cause application crashes, resulting in denial of service for systems relying on RustCrypto's elliptic curve implementations.
Affected Products
- RustCrypto Elliptic Curves version 0.14.0-pre.0
- RustCrypto Elliptic Curves version 0.14.0-rc.0
Discovery Timeline
- 2026-01-10 - CVE-2026-22699 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22699
Vulnerability Analysis
This vulnerability represents a classic improper input validation flaw (CWE-20) in cryptographic library code. The SM2 PKE decryption function accepts encoded elliptic curve points as input but fails to properly validate that these points actually reside on the expected SM2 curve before attempting to use them in cryptographic operations.
The vulnerability is particularly concerning because elliptic curve cryptography implementations must rigorously validate all input points. An attacker can craft coordinates that pass basic structural validation (correct byte length and format) but mathematically do not satisfy the SM2 curve equation. When the library attempts to convert these invalid coordinates into an AffinePoint, the operation correctly returns None, but the subsequent .unwrap() call triggers a Rust panic.
This attack can be executed remotely over the network without authentication, requires no user interaction, and has low attack complexity. While the vulnerability does not compromise confidentiality or integrity, it provides a reliable method to crash any service using the affected decryption functionality.
Root Cause
The root cause is the unsafe use of .unwrap() on an Option type without first verifying the result contains a valid value. In Rust, calling .unwrap() on a None value causes the program to panic and terminate. The AffinePoint::from_encoded_point() function returns an Option<AffinePoint> (specifically a CtOption for constant-time operations) to indicate whether the provided coordinates represent a valid point on the curve. The vulnerable code failed to handle the None case, assuming all syntactically valid inputs would also be mathematically valid curve points.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted ciphertext to any application using the RustCrypto SM2 PKE decryption functionality. The attack payload consists of an encoded elliptic curve point where the X and Y coordinates are formatted correctly but do not satisfy the SM2 curve equation (y² = x³ + ax + b mod p). When the application attempts to decrypt this malformed ciphertext, the point validation fails, the .unwrap() is called on None, and the application panics.
The attack requires network access to the target service and the ability to submit data that will be processed by the SM2 decryption path. No authentication or special privileges are required.
let encoded_c1 = EncodedPoint::from_bytes(c1).map_err(Error::from)?;
// verify that point c1 satisfies the elliptic curve
- let mut c1_point = AffinePoint::from_encoded_point(&encoded_c1).unwrap();
+ let mut c1_point = AffinePoint::from_encoded_point(&encoded_c1)
+ .into_option()
+ .ok_or(Error)?;
// B2: compute point 𝑆 = [ℎ]𝐶1
let s = c1_point * Scalar::reduce(&U256::from_u32(FieldElement::S));
Source: GitHub Commit
Detection Methods for CVE-2026-22699
Indicators of Compromise
- Application crashes with Rust panic messages referencing unwrap() called on None value in SM2 decryption code paths
- Unexpected process terminations in services utilizing RustCrypto elliptic-curves library for SM2 operations
- Log entries showing repeated decryption failures followed by service restarts
- Network traffic containing malformed SM2 ciphertext with invalid curve point coordinates
Detection Strategies
- Monitor application logs for panic messages originating from the sm2/src/pke/decrypting.rs module
- Implement dependency scanning to identify projects using RustCrypto elliptic-curves versions 0.14.0-pre.0 or 0.14.0-rc.0
- Deploy runtime monitoring to detect unusual patterns of service crashes or restarts in SM2-enabled applications
- Use Software Composition Analysis (SCA) tools to audit Cargo.lock files for vulnerable library versions
Monitoring Recommendations
- Enable detailed crash reporting and panic hook handlers in Rust applications to capture stack traces
- Configure service health monitoring with automatic alerting on repeated crash-restart cycles
- Implement rate limiting on endpoints that accept encrypted SM2 data to mitigate DoS amplification
- Monitor memory and process metrics for services using elliptic curve cryptography to detect instability
How to Mitigate CVE-2026-22699
Immediate Actions Required
- Update RustCrypto elliptic-curves library to a version containing commit 085b7be or later
- Review all applications using SM2 PKE decryption functionality and prioritize patching
- Consider temporarily disabling SM2 decryption endpoints if immediate patching is not possible
- Implement input validation at the application layer as a defense-in-depth measure
Patch Information
The vulnerability has been resolved via commit 085b7be in the RustCrypto elliptic-curves repository. The fix replaces the unsafe .unwrap() call with proper error handling using .into_option().ok_or(Error)?, which gracefully returns an error when invalid curve points are encountered rather than panicking.
For detailed patch information, see the GitHub Security Advisory and the associated pull request.
Workarounds
- Implement application-level input validation to verify elliptic curve points before passing them to the decryption function
- Deploy service redundancy and automatic restart mechanisms to minimize DoS impact while awaiting patches
- Use network-level filtering to restrict access to SM2 decryption endpoints from untrusted sources
- Consider wrapping SM2 decryption calls in panic-catching handlers (e.g., std::panic::catch_unwind) as a temporary mitigation
# Update RustCrypto elliptic-curves in Cargo.toml
# Ensure your dependency points to a patched version
# Check current version
cargo tree -p elliptic-curve
# Update dependencies
cargo update -p elliptic-curve
# Verify the update includes the security fix
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
