CVE-2026-22699 identifies a denial-of-service vulnerability in the RustCrypto elliptic-curves library, specifically affecting versions 0.14.0-pre.0 and 0.14.0-rc.0. The vulnerability stems from improper input validation (CWE-20) in the SM2 public key encryption (PKE) decryption process. The SM2 algorithm uses elliptic curve points, and during decryption, the library decodes a point C1 from input. The function AffinePoint::from_encoded_point(&encoded_c1) returns an Option type that can be None if the point is syntactically valid but does not lie on the SM2 curve. The vulnerable code calls .unwrap() on this Option without checking, causing a panic when an invalid point is supplied. This panic leads to a denial-of-service condition, as the application crashes or becomes unresponsive. The vulnerability can be exploited remotely without authentication or user interaction, as it involves processing crafted ciphertext inputs. The issue was patched by modifying the code to properly handle the None case instead of unwrapping blindly. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability. No known exploits are currently reported in the wild. The vulnerability affects cryptographic operations relying on RustCrypto's elliptic-curves library implementing SM2, a Chinese national standard for public key cryptography based on elliptic curves. This library is used in various Rust-based applications and services requiring ECC support.

For European organizations, this vulnerability poses a risk primarily to availability. Systems using the affected RustCrypto elliptic-curves versions for SM2 decryption may crash or become unresponsive when processing maliciously crafted ciphertexts. This can disrupt services relying on cryptographic operations, including secure communications, authentication, or data protection mechanisms. Although the vulnerability does not compromise confidentiality or integrity directly, denial-of-service conditions can impact business continuity, especially in critical infrastructure, financial services, or government applications using Rust-based cryptographic libraries. Given SM2's prominence in Chinese cryptographic standards, European entities engaging in cross-border communications or software supply chains involving Chinese partners may be more exposed. The lack of required authentication or user interaction increases the risk of remote exploitation. However, the absence of known exploits in the wild suggests limited immediate threat but warrants proactive mitigation.

European organizations should immediately identify and inventory software components using RustCrypto elliptic-curves versions 0.14.0-pre.0 or 0.14.0-rc.0, especially those implementing SM2 cryptography. Upgrading to the patched version that addresses the improper input validation is critical. Developers should audit cryptographic input handling to ensure robust validation of elliptic curve points before unwrapping or processing. Implementing input sanitization and error handling to gracefully reject invalid points without panics will enhance resilience. Network-level protections such as rate limiting and anomaly detection can help mitigate denial-of-service attempts exploiting this vulnerability. For organizations relying on third-party software, verifying vendor patches or applying mitigations is essential. Additionally, monitoring for unusual application crashes or service disruptions related to cryptographic operations can aid early detection. Incorporating fuzz testing and static analysis tools focused on cryptographic code paths may prevent similar issues in the future.