The vulnerability CVE-2026-22700 resides in the RustCrypto elliptic-curves library, specifically in the SM2 public-key encryption implementation found in versions 0.14.0-pre.0 and 0.14.0-rc.0. RustCrypto elliptic-curves provides general-purpose elliptic curve cryptography support, including types and traits for elliptic curve forms, scalars, points, and key representations. The flaw is due to improper input validation (CWE-20) in the decrypt() function, which performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. When an attacker submits short or malformed ciphertexts, including carefully crafted DER-encoded structures, the function attempts to split slices beyond their bounds, causing Rust panics (unwinding) that crash the thread or process. This results in a denial-of-service condition by terminating the cryptographic operation unexpectedly. The vulnerability does not affect confidentiality or integrity but impacts availability by crashing the service or application using the vulnerable library. Exploitation requires no privileges or user interaction and can be performed remotely by submitting malicious ciphertext to the decrypt function. The issue was addressed and patched in a subsequent commit (e60e991), which adds proper bounds checking to prevent out-of-bounds slice operations. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low complexity, no privileges required, no user interaction, and an impact limited to availability.

For European organizations, the primary impact of this vulnerability is denial of service in applications or services that utilize the affected RustCrypto elliptic-curves library versions for SM2 public-key decryption. This could disrupt cryptographic operations in secure communications, authentication, or data protection workflows relying on SM2 encryption. Organizations using these vulnerable versions in critical infrastructure, financial services, or government systems may experience service outages or degraded availability. While confidentiality and integrity are not directly compromised, the availability impact could lead to operational disruptions, loss of trust, and potential compliance issues under regulations such as GDPR if services become unavailable. The risk is heightened in environments where SM2 encryption is used extensively, especially in sectors with high reliance on cryptographic security. Given the ease of exploitation and remote attack vector, attackers could launch denial-of-service attacks against exposed services, causing interruptions. However, the absence of known exploits in the wild suggests limited active exploitation currently, but proactive mitigation is essential to prevent future attacks.

European organizations should immediately identify and inventory any usage of RustCrypto elliptic-curves library versions 0.14.0-pre.0 and 0.14.0-rc.0 within their software stacks, especially in applications implementing SM2 public-key encryption. The primary mitigation is to upgrade to a patched version of the library that includes the fix (post commit e60e991). If upgrading is not immediately feasible, implement input validation and sanitization on ciphertext inputs before passing them to the decrypt() function to prevent malformed or undersized inputs from triggering panics. Employ runtime monitoring and alerting for unexpected crashes or panics in cryptographic services to detect potential exploitation attempts. Consider deploying application-level rate limiting and network-level protections to reduce exposure to malicious ciphertext submissions. Conduct thorough testing of cryptographic components after patching to ensure stability and security. Additionally, review cryptographic usage policies to limit exposure of SM2 decryption endpoints to untrusted networks. Maintain up-to-date threat intelligence to monitor for any emerging exploit activity related to this vulnerability.