CVE-2026-23965 — HIGH (7.5)

Q: How severe is CVE-2026-23965?

CVE-2026-23965 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-23965?

Check the references section above for vendor advisories and patch information. Affected products include: Juneandgreen Sm-Crypto.

Vulnerability Description

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Juneandgreen	Sm-Crypto	< 0.4.0

Related Weaknesses (CWE)

CWE-347

References

FAQ

What is CVE-2026-23965?

CVE-2026-23965 is a vulnerability with a CVSS score of 7.5 (HIGH). sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto p...

How severe is CVE-2026-23965?

CVE-2026-23965 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-23965?

Check the references section above for vendor advisories and patch information. Affected products include: Juneandgreen Sm-Crypto.