关键漏洞信息 CVE ID: CVE-2026-22698 Severity: Critical Weakness: CWE-331 Summary A critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. Affected Versions sm2 0.14.0-rc.0 sm2 0.14.0-pre.0 Details The root cause of this vulnerability is a unit mismatch in the encrypt function located in sm2/src/pke/encrypting.rs. The code correctly calculates the byte-length of the curve order (256 bits / 8 = 32 bytes) and stores it in a constant N_BYTES. However, this N_BYTES value is then passed to the next_k helper function, which incorrectly interprets this value as a bit length. Inside next_k, the bit_length parameter (which holds the value 32) is passed directly to U256::try_random_bits, a function that generates a random number with the specified number of bits. As a result, the ephemeral nonce k is generated with only 32 bits of entropy. PoC A proof-of-concept demonstrating the feasibility of this attack is provided in examples/bsgs_recover.rs. The PoC performs the following steps: 1. Encrypt a Message 2. Extract Ephemeral Public Key 3. Recover Nonce k 4. Decrypt without Secret Key Impact This vulnerability leads to a complete loss of confidentiality for all data encrypted using the SM2 PKE implementation in this library. Any attacker who obtains a ciphertext can recover the plaintext in a feasible amount of time (several seconds). The severity is Critical, as it breaks the core security promise of the public key encryption scheme. Credit This vulnerability was discovered by: XlabAI Team of Tencent Xuanwu Lab Atuin Automated Vulnerability Discovery Engine