RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve for…
Published:
9 January 2026 at 23:00:00
Alert date:
10 January 2026 at 13:10:58
Source:
nvd.nist.gov
CVE-2026-22699 affects RustCrypto Elliptic Curves library versions 0.14.0-pre.0 and 0.14.0-rc.0. A denial-of-service vulnerability exists in the SM2 PKE decryption path where invalid elliptic-curve points cause application panics. The vulnerability occurs when AffinePoint::from_encoded_point returns None for syntactically valid coordinates that don't lie on the SM2 curve, but the code uses unwrap() without proper checking. This results in panic conditions when malformed input is processed. The issue has been patched in commit 085b7be.
Technical details
Mitigation steps:
Affected products:
RustCrypto Elliptic Curves
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22699
https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab
https://github.com/RustCrypto/elliptic-curves/pull/1602
https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.