CVE-2026-23966 – A private key recovery vulnerability exists in ... (How to Fix)

Q: What is the severity of CVE-2026-23966?

CVE-2026-23966 has a CVSS score of 9.1 (CRITICAL). A private key recovery vulnerability exists in sm-crypto's SM2 decryption implementation, allowing attackers to fully extract private keys through several hundred decryption interactions. This affects any application using sm-crypto versions before 0.3.14 for SM2 cryptographic operations. The vulnerability enables complete compromise of encrypted communications and digital signatures.

📋 TL;DR

A private key recovery vulnerability exists in sm-crypto's SM2 decryption implementation, allowing attackers to fully extract private keys through several hundred decryption interactions. This affects any application using sm-crypto versions before 0.3.14 for SM2 cryptographic operations. The vulnerability enables complete compromise of encrypted communications and digital signatures.

💻 Affected Systems

Products:

sm-crypto

Versions: All versions prior to 0.3.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using SM2 decryption functionality from sm-crypto library.

📦 What is this software?

Sm Crypto by Juneandgreen

View all CVEs affecting Sm Crypto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all SM2-encrypted communications and digital signatures, leading to data theft, impersonation, and system takeover.

🟠

Likely Case

Attackers extract private keys from vulnerable systems, decrypt sensitive data, forge signatures, and impersonate legitimate users or services.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to specific services using vulnerable sm-crypto versions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to interact with SM2 decryption interface, but the attack itself is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.14

Vendor Advisory: https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v

Restart Required: No

Instructions:

1. Update sm-crypto to version 0.3.14 or later using npm update sm-crypto. 2. Verify the update completed successfully. 3. Test SM2 functionality to ensure compatibility.

🔧 Temporary Workarounds

Disable SM2 Decryption

all

Temporarily disable SM2 decryption functionality if not critically required

Rate Limit Decryption Requests

all

Implement strict rate limiting on SM2 decryption endpoints to prevent the several hundred interactions needed for exploitation

🧯 If You Can't Patch

Isolate systems using vulnerable sm-crypto versions behind strict network controls
Implement comprehensive monitoring for unusual decryption request patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list sm-crypto to see if version is below 0.3.14

Check Version:

npm list sm-crypto | grep sm-crypto

Verify Fix Applied:

Confirm sm-crypto version is 0.3.14 or higher using npm list sm-crypto

📡 Detection & Monitoring

Log Indicators:

Unusually high volume of SM2 decryption requests from single source
Multiple failed decryption attempts with similar parameters

Network Indicators:

Repeated SM2 decryption API calls from external sources
Pattern of hundreds of decryption requests within short timeframes

SIEM Query:

source="application_logs" AND (message="SM2 decrypt" OR message="sm-crypto") AND count > 100 within 5 minutes

📊 Metadata

CVE ID: CVE-2026-23966

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-345

EPSS Score: 0.01% exploit probability (0.5th percentile)

Published: January 22, 2026

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23966, you might also want to check these: