QSearchQSearch

CVE-2021-3711

9.8 CRITICAL

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()

Published: 2021-08-24 · Last updated: 2026-06-17

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-120

Affected products

VendorProduct
debianactive_iq_unified_manager, clustered_data_ontap, clustered_data_ontap_antivirus_connector
netappactive_iq_unified_manager, clustered_data_ontap, clustered_data_ontap_antivirus_connector
opensslactive_iq_unified_manager, clustered_data_ontap, clustered_data_ontap_antivirus_connector
oracleactive_iq_unified_manager, clustered_data_ontap, clustered_data_ontap_antivirus_connector
tenableactive_iq_unified_manager, clustered_data_ontap, clustered_data_ontap_antivirus_connector

Description

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-35273 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
  • CVE-2026-9076 Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen s... (7.5 HIGH)
  • CVE-2026-7383 Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a hea... (8.1 HIGH)
  • CVE-2026-45447 Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification (8.8 HIGH)
  • CVE-2026-45446 Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authe... (4.8 MEDIUM)

Same CWE

  • CVE-2026-12328 Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (8.1 HIGH)
  • CVE-2026-12192 A vulnerability was determined in GALAYOU Y4 1.0.0 (8.8 HIGH)
  • CVE-2026-36818 Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter... (7.5 HIGH)
  • CVE-2026-36817 Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo paramet... (7.5 HIGH)
  • CVE-2026-36816 Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo paramete... (7.5 HIGH)