Primary

Context

sm-crypto Signature Malleability Vulnerability in SM2 Verification Logic

Vulnerability

A signature malleability vulnerability has been identified in the SM2 signature verification logic of the sm-crypto library, in versions prior to 0.3.14. This vulnerability allows an attacker to derive a new valid signature for a previously signed message, exploiting the way signatures are verified.

Impact

Exploitation of this vulnerability allows for signature malleability, where an attacker can create a new valid signature for a message that has already been signed, potentially leading to unauthorized actions or validations based on the forged signature.

Remediation

Users can upgrade to sm-crypto version 0.3.14 or later to address this vulnerability.

Added: Jan 22, 2026, 3:23 AM

Updated: Jan 22, 2026, 3:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.0

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.0

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

sm-crypto Signature Malleability Vulnerability in SM2 Verification Logic

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating