Vulnerability Description
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-32614?
CVE-2026-32614 is a vulnerability with a CVSS score of 7.5 (HIGH). Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 ...
How severe is CVE-2026-32614?
CVE-2026-32614 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32614?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.