top of page
perceptive_background_267k.jpg

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 …

Published:

21 januari 2026 om 23:00:00

Alert date:

22 januari 2026 om 04:02:57

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

A critical private key recovery vulnerability exists in the sm-crypto JavaScript library prior to version 0.3.14. The vulnerability affects the SM2 decryption logic implementation of Chinese cryptographic algorithms SM2, SM3, and SM4. Attackers can fully recover private keys by interacting with the SM2 decryption interface multiple times, requiring only several hundred interactions to complete the attack. The vulnerability has been patched in version 0.3.14 of the sm-crypto library.

Technical details

Mitigation steps:

Affected products:

sm-crypto

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-23966
https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707
https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page