The vulnerability CVE-2026-23965 affects the sm-crypto JavaScript library, which implements Chinese cryptographic algorithms SM2 (asymmetric signature), SM3 (hash), and SM4 (block cipher). Specifically, the flaw is in the SM2 signature verification logic before version 0.4.0. SM2 is a public key cryptographic algorithm widely used in China for digital signatures and encryption. The vulnerability is classified under CWE-347, indicating improper verification of cryptographic signatures. Under default configurations, the signature verification process does not correctly validate signatures, allowing an attacker to forge valid signatures for any arbitrary public key without needing any privileges or user interaction. The attack requires the message space to have sufficient redundancy so that the attacker can fix the prefix of the message to meet specific formatting constraints required by the verification logic. This means that the attacker can produce a forged signature-message pair that will be accepted as valid by the vulnerable verification function. The impact is a complete compromise of signature integrity, undermining trust in any system relying on SM2 signatures for authentication, authorization, or data integrity. The vulnerability has a CVSS 3.1 score of 7.5 (high severity), reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed. Although no exploits have been observed in the wild, the flaw is critical for any application or system using sm-crypto for SM2 signature verification. The vendor has addressed the issue in version 0.4.0 by correcting the signature verification logic to properly validate signatures and prevent forgery.

For European organizations, the vulnerability poses a significant risk to systems that utilize the sm-crypto library or SM2 cryptographic signatures, particularly in environments where Chinese cryptographic standards are adopted or integrated. The forgery of digital signatures can lead to unauthorized access, fraudulent transactions, data tampering, and bypass of authentication or authorization controls. This undermines the integrity of communications, software updates, or document signing processes relying on SM2 signatures. Organizations in sectors such as finance, telecommunications, critical infrastructure, and government that engage with Chinese technology providers or standards may be particularly vulnerable. The compromise of signature integrity can also affect supply chain security and trust in digital certificates. Given the network-exploitable nature and no requirement for privileges or user interaction, the threat can be exploited remotely and stealthily, increasing the risk of widespread impact if the vulnerable library is used in exposed services or applications.

European organizations should immediately audit their software and systems to identify any usage of the sm-crypto library, especially versions prior to 0.4.0. They must upgrade all instances of sm-crypto to version 0.4.0 or later, where the signature verification flaw is patched. For custom or embedded implementations of SM2 signature verification, a thorough code review and testing should be conducted to ensure compliance with correct cryptographic verification standards. Organizations should also consider implementing additional cryptographic validation layers or fallback mechanisms to detect forged signatures. Monitoring network traffic and application logs for anomalous signature verification failures or suspicious message patterns can help detect exploitation attempts. Where feasible, limiting exposure of services using SM2 signatures to trusted networks and enforcing strict access controls can reduce attack surface. Finally, organizations should engage with their software vendors and supply chain partners to confirm that patched versions are deployed and to raise awareness about this vulnerability.