Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of the public key without checking that the key is at least that long. A public key shorter than 65 bytes results in an out-of-bounds heap read, leading to a potential crash (denial of service); there is no out-of-bounds write. Note this only affects builds with SM2 support (--enable-sm2 or --enable-all).
{
"sources": [
{
"published": "2026-06-25T20:17:09.907Z",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-12340",
"imported": "2026-07-14T21:22:49.596Z",
"html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12340",
"id": "CVE-2026-12340",
"modified": "2026-06-26T18:54:32.567Z",
"database_specific": {
"status": "Analyzed"
}
},
{
"html_url": "https://github.com/advisories/GHSA-q349-x427-xg3w",
"imported": "2026-07-14T21:22:56.593Z",
"published": "2026-06-25T21:31:31Z",
"id": "GHSA-q349-x427-xg3w",
"modified": "2026-06-26T21:32:11Z",
"url": "https://api.github.com/advisories/GHSA-q349-x427-xg3w"
},
{
"modified": "2026-06-26T13:59:21Z",
"imported": "2026-07-14T21:22:51.127Z",
"published": "2026-06-25T19:36:21Z",
"id": "EUVD-2026-39547",
"url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-39547",
"html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-39547"
}
],
"license": "CC-BY-4.0"
}