The vulnerability identified as CVE-2026-23967 affects the sm-crypto JavaScript library, which provides implementations of Chinese cryptographic algorithms SM2 (public key cryptography), SM3 (hash function), and SM4 (block cipher). Specifically, the flaw is in the SM2 signature verification logic before version 0.3.14. The vulnerability is classified under CWE-347, indicating improper verification of cryptographic signatures. Due to signature malleability, an attacker who has access to a valid signature on a message can derive a different, yet still valid, signature for the same message. This undermines the integrity guarantees of the signature scheme, potentially allowing attackers to forge signatures without possessing the private key. The vulnerability has a CVSS 3.1 base score of 7.5 (high), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). The flaw does not affect confidentiality or availability but severely impacts the integrity of signed data. The issue was publicly disclosed on January 22, 2026, and fixed in sm-crypto version 0.3.14. No known exploits have been reported in the wild, but the potential for signature forgery poses a significant risk to applications relying on SM2 signatures for authentication, authorization, or non-repudiation.

For European organizations, the primary impact is the risk of signature forgery, which can lead to unauthorized actions being accepted as legitimate if the system relies on SM2 signatures for critical operations such as document signing, software updates, or secure communications. This could undermine trust in digital transactions and cause legal or financial repercussions. Since sm-crypto is a JavaScript library, the vulnerability could affect web applications, browser-based tools, or Node.js services that implement SM2 signatures. Organizations using Chinese cryptographic standards due to regulatory, business, or interoperability reasons are particularly at risk. The lack of confidentiality or availability impact means data leakage or service disruption is unlikely, but the integrity compromise can facilitate fraud, impersonation, or bypass of security controls. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure.

European organizations should immediately audit their use of the sm-crypto library and identify any applications employing SM2 signatures. The primary mitigation is to upgrade all instances of sm-crypto to version 0.3.14 or later, where the signature malleability issue is fixed. For applications where upgrading is not immediately feasible, implement additional signature verification layers or use alternative cryptographic libraries with robust SM2 implementations. Conduct thorough testing to ensure that signature verification logic correctly rejects malleable signatures. Monitor for any suspicious activities involving signature forgery attempts. Additionally, review cryptographic policies to assess the necessity of using SM2 and consider fallback or migration strategies to more widely vetted cryptographic standards if appropriate. Establish incident response plans to address potential signature forgery incidents. Finally, maintain awareness of future updates or advisories related to sm-crypto and Chinese cryptographic algorithm implementations.