Headline
GHSA-qv7w-v773-3xqm: sm-crypto Affected by Signature Malleability in SM2-DSA
Summary
A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library. An attacker can derive a new valid signature for a previously signed message from an existing signature.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23967
sm-crypto Affected by Signature Malleability in SM2-DSA
High severity GitHub Reviewed Published Jan 20, 2026 in JuneAndGreen/sm-crypto • Updated Jan 21, 2026
Package
npm sm-crypto (npm)
Affected versions
< 0.3.14
Description
Summary
A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library. An attacker can derive a new valid signature for a previously signed message from an existing signature.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
References
- GHSA-qv7w-v773-3xqm
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026
EPSS score