The vulnerability CVE-2026-32614 affects the Go ShangMi (GMSM) cryptographic library, which implements Chinese commercial cryptographic algorithms including SM9. SM9 is an identity-based cryptographic scheme relying on elliptic curve cryptography and bilinear pairings. The flaw lies in the SM9 decryption process where the elliptic-curve point C1 from the ciphertext is deserialized and checked only for curve membership but not explicitly checked against being the point at infinity. The point at infinity is a special elliptic curve point that acts as the identity element for the group operation. If C1 is set to the point at infinity, the bilinear pairing operation used in key derivation degenerates to the identity element in the target group GT. This causes a critical input to the key derivation function to become a predictable constant rather than a secret value. Consequently, an attacker who knows only the victim's UID can derive the decryption key material and forge ciphertexts that pass integrity checks, effectively bypassing cryptographic protections. This compromises the integrity of encrypted messages and could allow unauthorized message injection or modification. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). The issue affects all GMSM versions prior to 0.41.1 and was publicly disclosed on March 13, 2026. The CVSS v3.1 base score is 7.5, reflecting a network attack vector, no privileges or user interaction required, and high impact on integrity but no impact on confidentiality or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability is fixed in GMSM version 0.41.1 by adding explicit rejection of the point at infinity during ciphertext verification.

This vulnerability undermines the integrity of cryptographic operations using the SM9 algorithm in the GMSM library. Organizations relying on GMSM for secure communications, digital signatures, or identity-based encryption may face risks of message forgery and unauthorized data manipulation. Attackers can craft malicious ciphertexts that appear valid, potentially enabling impersonation, injection of false data, or bypassing of security controls dependent on SM9. Although confidentiality is not directly impacted, the ability to forge ciphertexts can lead to trust erosion in secure communications and cryptographic protocols. The vulnerability is exploitable remotely without authentication or user interaction, increasing the risk of widespread exploitation if unpatched. Given the use of GMSM in Chinese commercial cryptography contexts, sectors such as government, finance, telecommunications, and critical infrastructure in China and regions using these cryptographic standards are particularly at risk. The lack of known exploits suggests limited immediate threat but the high severity score warrants prompt remediation to prevent future attacks.

Organizations using the GMSM library should immediately upgrade to version 0.41.1 or later, which includes the fix rejecting the point at infinity during SM9 ciphertext verification. If upgrading is not immediately possible, implement additional application-level checks to validate that elliptic curve points are not the point at infinity before decryption. Conduct thorough code audits of cryptographic operations involving SM9 to ensure proper validation of all elliptic curve points and cryptographic inputs. Monitor cryptographic libraries for updates and advisories related to GMSM and SM9. Employ defense-in-depth by combining cryptographic integrity checks with application-layer message authentication codes or signatures. Educate developers and security teams on the risks of improper elliptic curve point validation and the importance of adhering to cryptographic standards. Finally, consider isolating or limiting exposure of systems using vulnerable GMSM versions until patched to reduce attack surface.