Skip to main content

OP-TEE OS CVE-2026-40257

| EUVDEUVD-2026-41891 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-06 GitHub_M
5.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.1 HIGH

Local vector and low privileges confirmed; integrity set to High because heap corruption of TEE kernel memory constitutes a meaningful integrity violation beyond mere crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jul 06, 2026 - 18:02 EUVD
Analysis Generated
Jul 06, 2026 - 17:11 vuln.today
CVE Published
Jul 06, 2026 - 16:26 cve.org
MEDIUM 5.5

DescriptionCVE.org

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.21.0 and prior to version 4.11.0, the ARM Crypto Extensions accelerated SHA-3 implementation has an off-by-one error that can cause a massive heap overflow that corrupts all TEE kernel memory following the hash state. This affects all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ with SHA3 Crypto Extensions). Version 4.11.0 contains a patch. As a workaround, disable SHA3 Crypto Extensions with CFG_CRYPTO_WITH_CE82=n.

AnalysisAI

Heap overflow in OP-TEE's ARM Crypto Extensions SHA-3 implementation corrupts TEE kernel memory across all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ SHA3 extensions). The off-by-one error in the accelerated SHA-3 path overwrites memory beyond the hash state buffer, potentially corrupting all TEE kernel heap memory that follows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged Linux shell
Delivery
Invoke OP-TEE Trusted Application session
Exploit
Trigger SHA-3 hash operation via ARM CE path
Execution
Off-by-one overflows TEE heap buffer
Persist
TEE kernel memory corrupted
Impact
Secure world crash or controlled memory overwrite

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target device must have OP-TEE OS built with CFG_CRYPTO_WITH_CE82=y - this is a non-default compile-time flag requiring ARMv8.2+ hardware with SHA3 Crypto Extensions support, so it is not present on all OP-TEE deployments; (2) the attacker must have at least low-privileged code execution on the non-secure Linux side and the ability to invoke an OP-TEE Trusted Application session that exercises the SHA-3 hash path; and (3) the affected version must be in the range 3.21.0 to 4.10.x. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) captures only the availability dimension, but the described impact - corrupting 'all TEE kernel memory following the hash state' - implies meaningful integrity consequences that C:N/I:N may understate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege code execution on the Linux non-secure OS (e.g., via an unprivileged shell or compromised application) invokes a Trusted Application in OP-TEE that performs a SHA-3 hash operation. The off-by-one error in the ARM CE-accelerated SHA-3 path triggers a write beyond the hash state buffer, overflowing into adjacent TEE kernel heap memory and corrupting secure-world data structures, potentially crashing the TEE or enabling escalation within the secure world. …
Remediation Upgrade to OP-TEE OS version 4.11.0, which contains the official patch for the off-by-one error in the SHA-3 ARM Crypto Extensions implementation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy