Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
5DescriptionGitHub Advisory
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in entry_get_attribute_value() in ta/pkcs11/src/object.c can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function PKCS11_CMD_GET_ATTRIBUTE_VALUE or entry_get_attribute_value() can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.
AnalysisAI
Out-of-bounds read and write in OP-TEE OS PKCS#11 Trusted Application (versions 3.13.0-4.10.0) allows authenticated local attackers with low privileges to read up to 7 bytes beyond heap boundaries and write arbitrary attribute values outside allocated buffers, potentially compromising the integrity and confidentiality of the Trusted Execution Environment. The vulnerability affects Arm TrustZone-based TEE implementations running alongside Linux kernels on Cortex-A cores. Patches available in three upstream commits targeting version 4.11.0. EPSS data not provided; no CISA KEV status indicating targeted rather than widespread exploitation. CVSS 8.7 reflects high confidentiality/integrity impact with scope change, representing potential TEE compromise from the normal world.
Technical ContextAI
OP-TEE (Open Portable Trusted Execution Environment) implements Arm TrustZone technology to create isolated secure-world execution contexts alongside a non-secure Linux kernel on Cortex-A processors. The PKCS#11 Trusted Application (TA) provides cryptographic token interface services within the TEE. The vulnerability (CWE-125: Out-of-bounds Read) exists in the entry_get_attribute_value() function within ta/pkcs11/src/object.c, where insufficient bounds checking on template parameters allows memory access beyond allocated heap buffers. When processing PKCS11_CMD_GET_ATTRIBUTE_VALUE commands, malformed template parameters can trigger reads up to 7 bytes past the template buffer boundary, with the out-of-bounds data then written back beyond the template buffer bounds using PKCS#11 object attribute values. This represents a classic buffer overflow chaining two memory safety violations: OOB read providing targeting information for subsequent OOB write. The CPE identifier confirms affected component as optee_os across the specified version range.
RemediationAI
Upgrade to OP-TEE OS version 4.11.0 or later once released, which will incorporate fixes from commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca (patches viewable at https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca and related commit URLs). Organizations requiring immediate mitigation can backport the three patches to their current OP-TEE version, though this requires TEE rebuild and redeployment with firmware updates. As a compensating control until patching, disable the PKCS#11 Trusted Application if not operationally required by setting CFG_PKCS11_TA=n in OP-TEE build configuration, which eliminates the vulnerable code path entirely but removes hardware-backed PKCS#11 cryptographic services, breaking applications dependent on TEE-based key storage and potentially impacting secure boot flows, DRM implementations, and VPN key management. Restrict local user access to systems running vulnerable OP-TEE versions, as PR:L indicates authenticated local access is the attack prerequisite, though this provides limited protection on multi-user embedded Linux systems.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25379