CVE-2026-32614 in gmsm
Summary
by MITRE • 03/16/2026
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability described in CVE-2026-32614 affects the Go ShangMi cryptographic library, which implements Chinese commercial cryptographic algorithms including SM2, SM3, SM4, SM9, and ZUC. This library serves as a critical component for cryptographic operations in systems that require compliance with Chinese commercial cryptography standards, making it an essential element in various government and enterprise security infrastructures. The flaw specifically resides in the SM9 decryption implementation, which is a identity-based encryption scheme that allows for direct encryption using user identifiers as public keys. The vulnerability represents a serious security weakness that undermines the fundamental integrity of the cryptographic system.
The technical root cause of this vulnerability lies in the insufficient validation of elliptic curve points during the decryption process. During SM9 decryption, the ciphertext contains an elliptic curve point C1 that should be validated to ensure it lies on the appropriate curve. However, the implementation fails to explicitly check whether this point is the point at infinity, which represents the identity element in elliptic curve groups. This omission creates a critical security gap because the point at infinity, when processed through the bilinear pairing operation, produces the identity element in the target group GT. This mathematical property allows attackers to manipulate the cryptographic operations in predictable ways that compromise security.
The operational impact of this vulnerability is severe and multifaceted. An attacker who can construct a ciphertext with C1 set to the point at infinity can effectively bypass the normal key derivation process, making the decryption key material predictable and exploitable. The vulnerability specifically targets the integrity verification mechanism of SM9, allowing attackers to forge ciphertexts that pass the integrity check while remaining undetected by the system. This creates a scenario where an attacker only needs to know the target user's unique identifier UID to derive the decryption key material, eliminating the need for more complex attacks. The attack vector aligns with techniques described in the ATT&CK framework under credential access and defense evasion tactics, as it enables unauthorized decryption and forged message creation.
The security implications extend beyond simple forgery to encompass the complete compromise of the SM9 encryption scheme's confidentiality and integrity guarantees. When the point at infinity is used in the pairing operation, it causes the cryptographic key derivation to produce a constant value instead of a random one, making the entire decryption process predictable and vulnerable to attack. This vulnerability is classified under CWE-252, representing an insufficient validation of the point at infinity in elliptic curve cryptography implementations. The fix implemented in version 0.41.1 addresses this by ensuring proper validation of elliptic curve points, explicitly rejecting points at infinity during the decryption process. Organizations using this cryptographic library should immediately upgrade to version 0.41.1 or later to prevent exploitation, as the vulnerability could enable attackers to decrypt sensitive communications and forge authenticated messages within systems relying on SM9 encryption. The fix demonstrates proper cryptographic implementation practices that align with industry standards for elliptic curve cryptography and secure key derivation processes.