CVE-2026-32614: CWE-347: Improper Verification of Cryptographic Signature in emmansun gmsm
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
AI Analysis
Technical Summary
The vulnerability CVE-2026-32614 resides in the Go ShangMi (Commercial Cryptography) Library (GMSM), specifically in its implementation of the SM9 cryptographic algorithm suite. SM9 is a Chinese commercial cryptographic standard that includes public algorithms such as SM2, SM3, SM4, SM9, and ZUC. Prior to version 0.41.1, the SM9 decryption process in gmsm improperly verifies the elliptic-curve point C1 contained in the ciphertext. While the implementation checks if C1 lies on the elliptic curve, it fails to explicitly reject the point at infinity, a special elliptic curve point that acts as the identity element in elliptic curve groups. An attacker can exploit this by crafting a ciphertext where C1 is the point at infinity. This causes the bilinear pairing operation, a core cryptographic primitive in SM9, to degenerate into the identity element in the target group GT. Consequently, a critical input to the key derivation function becomes a predictable constant rather than a secure random value. With knowledge only of the target user's UID, the attacker can derive the decryption key material and forge ciphertexts that will pass integrity verification checks. This effectively breaks the integrity guarantees of the SM9 encryption scheme, allowing ciphertext forgery without needing any privileges or user interaction. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and has a CVSS v3.1 score of 7.5 (high severity), reflecting its ease of exploitation over the network without authentication and its impact on data integrity. The issue was publicly disclosed and fixed in version 0.41.1 of the gmsm library. No known exploits in the wild have been reported yet, but the vulnerability poses a significant risk to systems relying on this cryptographic library for secure communications or data protection.
Potential Impact
This vulnerability undermines the integrity of encrypted communications or data protected by the SM9 algorithm in the affected gmsm library versions. An attacker can forge ciphertexts that appear valid, potentially allowing unauthorized data injection, manipulation, or replay attacks without detection. This compromises trust in the confidentiality and authenticity of communications, which can have severe consequences in sensitive environments such as government, finance, telecommunications, and critical infrastructure where Chinese commercial cryptographic standards are mandated or preferred. The lack of requirement for privileges or user interaction makes remote exploitation feasible, increasing the attack surface. Organizations relying on gmsm for SM9 encryption may face data integrity breaches, loss of data authenticity, and potential downstream impacts on systems that depend on these cryptographic assurances. Although no active exploits are known, the vulnerability's high severity and straightforward exploitation method necessitate urgent remediation to prevent future attacks.
Mitigation Recommendations
The primary mitigation is to upgrade the emmansun gmsm library to version 0.41.1 or later, where the vulnerability is fixed by proper rejection of the point at infinity during SM9 decryption. Organizations should audit their software dependencies to identify any usage of gmsm versions prior to 0.41.1 and prioritize patching. Additionally, developers should implement strict input validation for elliptic curve points in cryptographic operations, explicitly rejecting invalid or special points such as the point at infinity. Cryptographic protocol implementations should be reviewed to ensure they do not rely solely on curve membership checks but also verify that points are valid and non-degenerate. Monitoring network traffic for anomalous ciphertext patterns or unexpected cryptographic failures may help detect exploitation attempts. Where possible, applying defense-in-depth measures such as cryptographic algorithm agility and fallback to alternative secure algorithms can reduce reliance on vulnerable implementations. Finally, educating developers and security teams about the risks of improper cryptographic validation can prevent similar issues in future projects.
Affected Countries
China, Taiwan, Hong Kong, Singapore, Malaysia, South Korea, Japan
CVE-2026-32614: CWE-347: Improper Verification of Cryptographic Signature in emmansun gmsm
Description
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
AI-Powered Analysis
Technical Analysis
The vulnerability CVE-2026-32614 resides in the Go ShangMi (Commercial Cryptography) Library (GMSM), specifically in its implementation of the SM9 cryptographic algorithm suite. SM9 is a Chinese commercial cryptographic standard that includes public algorithms such as SM2, SM3, SM4, SM9, and ZUC. Prior to version 0.41.1, the SM9 decryption process in gmsm improperly verifies the elliptic-curve point C1 contained in the ciphertext. While the implementation checks if C1 lies on the elliptic curve, it fails to explicitly reject the point at infinity, a special elliptic curve point that acts as the identity element in elliptic curve groups. An attacker can exploit this by crafting a ciphertext where C1 is the point at infinity. This causes the bilinear pairing operation, a core cryptographic primitive in SM9, to degenerate into the identity element in the target group GT. Consequently, a critical input to the key derivation function becomes a predictable constant rather than a secure random value. With knowledge only of the target user's UID, the attacker can derive the decryption key material and forge ciphertexts that will pass integrity verification checks. This effectively breaks the integrity guarantees of the SM9 encryption scheme, allowing ciphertext forgery without needing any privileges or user interaction. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and has a CVSS v3.1 score of 7.5 (high severity), reflecting its ease of exploitation over the network without authentication and its impact on data integrity. The issue was publicly disclosed and fixed in version 0.41.1 of the gmsm library. No known exploits in the wild have been reported yet, but the vulnerability poses a significant risk to systems relying on this cryptographic library for secure communications or data protection.
Potential Impact
This vulnerability undermines the integrity of encrypted communications or data protected by the SM9 algorithm in the affected gmsm library versions. An attacker can forge ciphertexts that appear valid, potentially allowing unauthorized data injection, manipulation, or replay attacks without detection. This compromises trust in the confidentiality and authenticity of communications, which can have severe consequences in sensitive environments such as government, finance, telecommunications, and critical infrastructure where Chinese commercial cryptographic standards are mandated or preferred. The lack of requirement for privileges or user interaction makes remote exploitation feasible, increasing the attack surface. Organizations relying on gmsm for SM9 encryption may face data integrity breaches, loss of data authenticity, and potential downstream impacts on systems that depend on these cryptographic assurances. Although no active exploits are known, the vulnerability's high severity and straightforward exploitation method necessitate urgent remediation to prevent future attacks.
Mitigation Recommendations
The primary mitigation is to upgrade the emmansun gmsm library to version 0.41.1 or later, where the vulnerability is fixed by proper rejection of the point at infinity during SM9 decryption. Organizations should audit their software dependencies to identify any usage of gmsm versions prior to 0.41.1 and prioritize patching. Additionally, developers should implement strict input validation for elliptic curve points in cryptographic operations, explicitly rejecting invalid or special points such as the point at infinity. Cryptographic protocol implementations should be reviewed to ensure they do not rely solely on curve membership checks but also verify that points are valid and non-degenerate. Monitoring network traffic for anomalous ciphertext patterns or unexpected cryptographic failures may help detect exploitation attempts. Where possible, applying defense-in-depth measures such as cryptographic algorithm agility and fallback to alternative secure algorithms can reduce reliance on vulnerable implementations. Finally, educating developers and security teams about the risks of improper cryptographic validation can prevent similar issues in future projects.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-12T14:54:24.271Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b473bd2f860ef943aa93f2
Added to database: 3/13/2026, 8:29:49 PM
Last enriched: 3/13/2026, 8:45:25 PM
Last updated: 3/15/2026, 6:41:17 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.