CVE-2026-32614

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32614
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32614.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32614
Aliases
Published
2026-03-13T20:14:05.750Z
Modified
2026-03-14T22:03:24.262888Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Go ShangMi SM9 Infinity-Point Ciphertext Forgery Vulnerability
Details

Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity. In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check. This vulnerability is fixed in 0.41.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32614.json",
    "cwe_ids": [
        "CWE-347"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/emmansun/gmsm

Affected ranges

Type
GIT
Repo
https://github.com/emmansun/gmsm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3ffef877ab1a357256c40d505390e8372eb94ba8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.41.1"
        }
    ]
}

Affected versions

go_1.*
go_1.15
v0.*
v0.1.0
v0.1.0-alpha
v0.1.1
v0.1.2
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.13.8
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.15.6
v0.15.7
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.20.1
v0.20.2
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.21.5-beta
v0.21.5-beta.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.25.0
v0.26.0
v0.26.1
v0.27.0
v0.27.1
v0.27.2
v0.27.3
v0.27.3-beta.0
v0.27.3-beta.1
v0.27.4
v0.28.0
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.3-beta.1
v0.29.3-beta.2
v0.29.4
v0.29.5
v0.29.5-beta.1
v0.29.5-beta.2
v0.29.6
v0.29.7
v0.29.8
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.30.0
v0.30.1
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.34.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.40.0
v0.40.1
v0.41.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
v0.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32614.json"