CVE-2026-22699 – This vulnerability in RustCrypto's elliptic-cur... (How to Fix)

Q: What is the severity of CVE-2026-22699?

CVE-2026-22699 has a CVSS score of 7.5 (HIGH). This vulnerability in RustCrypto's elliptic-curves library allows attackers to cause denial-of-service by sending specially crafted SM2 encrypted messages. When an invalid elliptic-curve point is provided during SM2 decryption, the code panics instead of handling the error gracefully. This affects any application using the vulnerable versions of the RustCrypto elliptic-curves library for SM2 encryption/decryption.

📋 TL;DR

This vulnerability in RustCrypto's elliptic-curves library allows attackers to cause denial-of-service by sending specially crafted SM2 encrypted messages. When an invalid elliptic-curve point is provided during SM2 decryption, the code panics instead of handling the error gracefully. This affects any application using the vulnerable versions of the RustCrypto elliptic-curves library for SM2 encryption/decryption.

💻 Affected Systems

Products:

RustCrypto elliptic-curves library

Versions: 0.14.0-pre.0 and 0.14.0-rc.0 only

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SM2 PKE decryption functionality. Other elliptic curves and operations are not affected.

📦 What is this software?

Sm2 Elliptic Curve by Rustcrypto

View all CVEs affecting Sm2 Elliptic Curve →

Sm2 Elliptic Curve by Rustcrypto

View all CVEs affecting Sm2 Elliptic Curve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through panic crashes, potentially leading to availability issues in critical systems using SM2 encryption.

🟠

Likely Case

Service disruption through application crashes when processing malicious SM2 encrypted messages.

🟢

If Mitigated

Minimal impact with proper error handling and monitoring in place to restart crashed services.

🌐 Internet-Facing: HIGH if SM2 encryption is exposed to untrusted inputs from external sources.

🏢 Internal Only: MEDIUM if SM2 encryption is only used internally with controlled inputs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted SM2 encrypted messages to trigger the panic. No authentication needed if the vulnerable endpoint accepts SM2 encrypted data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 085b7bee647029bd189e1375203418205006bcab

Vendor Advisory: https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6

Restart Required: Yes

Instructions:

1. Update RustCrypto elliptic-curves dependency to version 0.14.0 or later. 2. Run 'cargo update' to fetch the patched version. 3. Rebuild and redeploy your application. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation wrapper

all

Add custom validation before passing SM2 encrypted data to the library

Implement custom validation function to check SM2 encrypted data structure before decryption

Error handling wrapper

all

Wrap SM2 decryption calls in catch_unwind to prevent panics from crashing the entire application

use std::panic::catch_unwind;
let result = catch_unwind(|| { sm2_decrypt_function(data) });

🧯 If You Can't Patch

Implement rate limiting on SM2 decryption endpoints to limit DoS impact
Deploy monitoring and automatic restart mechanisms for services using SM2 decryption

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for 'elliptic-curves' dependency version 0.14.0-pre.0 or 0.14.0-rc.0

Check Version:

grep -r "elliptic-curves" Cargo.toml Cargo.lock

Verify Fix Applied:

Verify dependency version is 0.14.0 or later, or includes commit 085b7bee647029bd189e1375203418205006bcab

📡 Detection & Monitoring

Log Indicators:

Application panic logs mentioning 'unwrap()' or 'AffinePoint::from_encoded_point'
Sudden service crashes during SM2 decryption operations

Network Indicators:

Unusual patterns of SM2 encrypted traffic to decryption endpoints
Repeated connection attempts followed by service disconnections

SIEM Query:

source="application.logs" AND ("panic" OR "unwrap" OR "AffinePoint") AND "SM2"

📊 Metadata

CVE ID: CVE-2026-22699

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

EPSS Score: 0.12% exploit probability (31.6th percentile)

Published: January 10, 2026

Last Updated: January 22, 2026

🔗 References

https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab Patch
https://github.com/RustCrypto/elliptic-curves/pull/1602 Issue Tracking,Patch
https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6 Exploit,Vendor Advisory
https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22699, you might also want to check these: