← back
CVE-2026-23965

sm-crypto Affected by Signature Forgery in SM2-DSA

CVSS 7.5 HIGHEPSS 0.2%CWE-347
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
22 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
JuneAndGreen · sm-crypto

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m