Skip to main content

OP-TEE OS EUVDEUVD-2026-25592

| CVE-2026-33662 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-24 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 19:00 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 18:45 euvd
EUVD-2026-25592
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today
CVE Published
Apr 24, 2026 - 18:13 nvd
HIGH 7.5

DescriptionGitHub Advisory

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/crypto_api/acipher/rsassa.c, the amount of padding needed, "PS size", is calculated by subtracting the size of the digest and other fields required for the EMA-PKCS1-v1_5 encoding from the size of the modulus of the key. By selecting a small enough modulus, this subtraction can overflow. The padding is added as a string of 0xFF bytes with a call to memset(), and an underflowed integer will cause the memset() call to overwrite until OP-TEE crashes. This only affects platforms registering RSA acceleration.

AnalysisAI

Integer overflow in OP-TEE OS RSA signature encoding crashes the Trusted Execution Environment on platforms with RSA hardware acceleration. Affects versions 3.8.0 through 4.10 when attackers supply cryptographic operations with deliberately undersized RSA moduli, causing memset() to overwrite memory until the TEE crashes. This denial-of-service attack requires no authentication and can be triggered remotely (CVSS AV:N/PR:N), completely disabling the secure-world environment that protects cryptographic keys, biometric data, and DRM operations on affected Arm TrustZone systems. EPSS data not available; no active exploitation confirmed at time of analysis.

Technical ContextAI

OP-TEE (Open Portable Trusted Execution Environment) implements Arm TrustZone technology to create an isolated secure execution environment alongside the normal Linux kernel on Cortex-A processors. The vulnerability resides in the EMSA-PKCS#1 v1.5 encoding implementation used during RSA signature generation within the crypto API subsystem (core/drivers/crypto/crypto_api/acipher/rsassa.c). EMSA-PKCS#1 v1.5 encoding requires calculating padding size by subtracting the digest size and encoding overhead from the RSA modulus size. The affected function emsa_pkcs1_v1_5_encode() performs this calculation using integer arithmetic vulnerable to CWE-190 (Integer Overflow or Wraparound). When an attacker provides an RSA key with an abnormally small modulus (smaller than the required digest plus encoding fields), the subtraction wraps around to produce a massive unsigned integer. This overflowed value is then passed directly to memset() to fill padding bytes with 0xFF, causing unbounded memory corruption that crashes the TEE. The vulnerability only manifests on platforms that register RSA hardware acceleration drivers with OP-TEE, as software-only implementations follow different code paths.

RemediationAI

Upgrade OP-TEE OS to version 4.11.0 or later, which contains the fix for the integer overflow in emsa_pkcs1_v1_5_encode(). The patch is available through the OP-TEE GitHub repository and detailed in advisory GHSA-4cf8-v5g3-73gr at https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr. Organizations unable to immediately upgrade should implement input validation at the trusted application layer to reject RSA keys with modulus sizes smaller than the minimum required for the intended hash algorithm plus encoding overhead (for example, RSA keys smaller than 512 bits should be rejected for SHA-256 signatures). As a temporary mitigation, disable hardware RSA acceleration in OP-TEE build configuration and fall back to software RSA implementation, though this reduces cryptographic performance. Note that this workaround only prevents exploitation if the RSA acceleration driver can be cleanly disabled without breaking dependencies in trusted applications. Verify that crash recovery procedures do not leak secure-world memory contents through core dumps or debug interfaces.

Share

EUVD-2026-25592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy