CVE-2026-22698 in elliptic-curves
Summary
by MITRE • 01/10/2026
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-22698 affects the RustCrypto Elliptic Curves library, specifically targeting the SM2 Public Key Encryption implementation within versions 0.14.0-pre.0 and 0.14.0-rc.0. This cryptographic library provides general purpose elliptic curve cryptography support including various curve forms, scalar operations, point arithmetic, and key management capabilities. The SM2 algorithm is a Chinese national standard for elliptic curve cryptography that combines both digital signatures and public key encryption. The flaw manifests in the nonce generation process for the SM2 PKE scheme, which represents a fundamental security weakness that undermines the entire cryptographic system.
The technical root cause of this vulnerability stems from a unit mismatch error in the nonce generation function that severely compromises the randomness quality required for secure cryptographic operations. Specifically, the implementation incorrectly requests only 32 bits of random data instead of the required 256 bits for proper nonce generation. This represents a critical design flaw that reduces the effective entropy of the ephemeral nonce k from the expected 256 bits down to merely 16 bits. According to the Common Weakness Enumeration framework, this corresponds to CWE-330, which describes insufficient entropy in a cryptographic algorithm. The reduced entropy makes the system vulnerable to exhaustive search attacks where an attacker can systematically test all possible 65,536 combinations of the nonce value.
The operational impact of this vulnerability is severe and practically exploitable. With only 16 bits of entropy, an attacker can perform a brute force attack against the nonce k value within reasonable computational limits. Once the nonce is recovered, the attacker can decrypt any ciphertext encrypted with the corresponding public key, effectively breaking the confidentiality guarantees of the SM2 encryption scheme. This vulnerability specifically affects the security level of the encryption from the expected 128-bit security to a trivial 16-bit security level, making it trivially breakable. The attack scenario aligns with ATT&CK technique T1583.001, which covers the development of cryptographic keys and algorithms, as this represents a fundamental flaw in the cryptographic implementation that compromises the entire system. The vulnerability affects the confidentiality and integrity of encrypted communications, potentially exposing sensitive data to unauthorized access.
The fix for this vulnerability was implemented through commit e4f7778, which corrected the unit mismatch error in the nonce generation function. This patch ensures that the proper amount of randomness is requested for generating the ephemeral nonce k, restoring the cryptographic security properties of the SM2 PKE implementation. Organizations using the affected versions of the RustCrypto library should immediately upgrade to patched versions to prevent potential exploitation. The remediation addresses the core issue by ensuring that cryptographic randomness requirements are properly met according to established cryptographic standards and best practices. This vulnerability highlights the critical importance of proper entropy handling in cryptographic implementations and demonstrates how seemingly minor unit conversion errors can have catastrophic security implications. The fix ensures compliance with industry standards for cryptographic implementation and prevents the exploitation patterns that would otherwise allow attackers to compromise encrypted communications through nonce recovery attacks.