CVE-2026-23967 – A signature malleability vulnerability in sm-cr... (How to Fix)

Q: What is the severity of CVE-2026-23967?

CVE-2026-23967 has a CVSS score of 7.5 (HIGH). A signature malleability vulnerability in sm-crypto's SM2 signature verification allows attackers to create new valid signatures from existing ones. This affects applications using sm-crypto for Chinese cryptographic algorithm implementations before version 0.3.14. Attackers could potentially forge signatures to bypass authentication or authorization checks.

📋 TL;DR

A signature malleability vulnerability in sm-crypto's SM2 signature verification allows attackers to create new valid signatures from existing ones. This affects applications using sm-crypto for Chinese cryptographic algorithm implementations before version 0.3.14. Attackers could potentially forge signatures to bypass authentication or authorization checks.

💻 Affected Systems

Products:

sm-crypto

Versions: All versions before 0.3.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using SM2 signature verification functionality from sm-crypto library.

📦 What is this software?

Sm Crypto by Juneandgreen

View all CVEs affecting Sm Crypto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of systems relying on SM2 signatures for authentication, allowing unauthorized access, data manipulation, or privilege escalation.

🟠

Likely Case

Signature forgery enabling bypass of signature-based verification mechanisms in applications using sm-crypto.

🟢

If Mitigated

Limited impact if additional verification layers exist or if SM2 signatures aren't used for critical security decisions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of SM2 signature malleability and access to existing signatures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.14

Vendor Advisory: https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm

Restart Required: No

Instructions:

Update sm-crypto dependency to version 0.3.14 or later
Run: npm update sm-crypto
Test SM2 signature verification functionality

🔧 Temporary Workarounds

Implement additional signature verification

all

Add custom validation logic to check signature uniqueness beyond standard SM2 verification

🧯 If You Can't Patch

Disable SM2 signature functionality if not essential
Implement additional authentication layers for signature-protected operations

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for sm-crypto version <0.3.14

Check Version:

npm list sm-crypto

Verify Fix Applied:

Confirm sm-crypto version is 0.3.14 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

Multiple successful signature verifications for same message with different signatures
Unexpected signature validation patterns

Network Indicators:

Unusual authentication attempts using SM2 signatures

SIEM Query:

Search for application logs containing SM2 signature verification anomalies

📊 Metadata

CVE ID: CVE-2026-23967

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-347

EPSS Score: 0.01% exploit probability (0.6th percentile)

Published: January 22, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23967, you might also want to check these: