Skip to main content

OP-TEE OS CVE-2026-33317

| EUVDEUVD-2026-25379 HIGH
Out-of-bounds Read (CWE-125)
2026-04-24 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 03:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 03:00 euvd
EUVD-2026-25379
Analysis Generated
Apr 24, 2026 - 03:00 vuln.today
CVE Published
Apr 24, 2026 - 02:20 nvd
HIGH 8.7

DescriptionGitHub Advisory

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in entry_get_attribute_value() in ta/pkcs11/src/object.c can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function PKCS11_CMD_GET_ATTRIBUTE_VALUE or entry_get_attribute_value() can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.

AnalysisAI

Out-of-bounds read and write in OP-TEE OS PKCS#11 Trusted Application (versions 3.13.0-4.10.0) allows authenticated local attackers with low privileges to read up to 7 bytes beyond heap boundaries and write arbitrary attribute values outside allocated buffers, potentially compromising the integrity and confidentiality of the Trusted Execution Environment. The vulnerability affects Arm TrustZone-based TEE implementations running alongside Linux kernels on Cortex-A cores. Patches available in three upstream commits targeting version 4.11.0. EPSS data not provided; no CISA KEV status indicating targeted rather than widespread exploitation. CVSS 8.7 reflects high confidentiality/integrity impact with scope change, representing potential TEE compromise from the normal world.

Technical ContextAI

OP-TEE (Open Portable Trusted Execution Environment) implements Arm TrustZone technology to create isolated secure-world execution contexts alongside a non-secure Linux kernel on Cortex-A processors. The PKCS#11 Trusted Application (TA) provides cryptographic token interface services within the TEE. The vulnerability (CWE-125: Out-of-bounds Read) exists in the entry_get_attribute_value() function within ta/pkcs11/src/object.c, where insufficient bounds checking on template parameters allows memory access beyond allocated heap buffers. When processing PKCS11_CMD_GET_ATTRIBUTE_VALUE commands, malformed template parameters can trigger reads up to 7 bytes past the template buffer boundary, with the out-of-bounds data then written back beyond the template buffer bounds using PKCS#11 object attribute values. This represents a classic buffer overflow chaining two memory safety violations: OOB read providing targeting information for subsequent OOB write. The CPE identifier confirms affected component as optee_os across the specified version range.

RemediationAI

Upgrade to OP-TEE OS version 4.11.0 or later once released, which will incorporate fixes from commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca (patches viewable at https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca and related commit URLs). Organizations requiring immediate mitigation can backport the three patches to their current OP-TEE version, though this requires TEE rebuild and redeployment with firmware updates. As a compensating control until patching, disable the PKCS#11 Trusted Application if not operationally required by setting CFG_PKCS11_TA=n in OP-TEE build configuration, which eliminates the vulnerable code path entirely but removes hardware-backed PKCS#11 cryptographic services, breaking applications dependent on TEE-based key storage and potentially impacting secure boot flows, DRM implementations, and VPN key management. Restrict local user access to systems running vulnerable OP-TEE versions, as PR:L indicates authenticated local access is the attack prerequisite, though this provides limited protection on multi-user embedded Linux systems.

Share

CVE-2026-33317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy