Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() in core/drivers/crypto/crypto_api/acipher/rsassa.c, the amount of padding needed, "PS size", is calculated by subtracting the size of the digest and other fields required for the EMA-PKCS1-v1_5 encoding from the size of the modulus of the key. By selecting a small enough modulus, this subtraction can overflow. The padding is added as a string of 0xFF bytes with a call to memset(), and an underflowed integer will cause the memset() call to overwrite until OP-TEE crashes. This only affects platforms registering RSA acceleration.
AnalysisAI
Integer overflow in OP-TEE OS RSA signature encoding crashes the Trusted Execution Environment on platforms with RSA hardware acceleration. Affects versions 3.8.0 through 4.10 when attackers supply cryptographic operations with deliberately undersized RSA moduli, causing memset() to overwrite memory until the TEE crashes. This denial-of-service attack requires no authentication and can be triggered remotely (CVSS AV:N/PR:N), completely disabling the secure-world environment that protects cryptographic keys, biometric data, and DRM operations on affected Arm TrustZone systems. EPSS data not available; no active exploitation confirmed at time of analysis.
Technical ContextAI
OP-TEE (Open Portable Trusted Execution Environment) implements Arm TrustZone technology to create an isolated secure execution environment alongside the normal Linux kernel on Cortex-A processors. The vulnerability resides in the EMSA-PKCS#1 v1.5 encoding implementation used during RSA signature generation within the crypto API subsystem (core/drivers/crypto/crypto_api/acipher/rsassa.c). EMSA-PKCS#1 v1.5 encoding requires calculating padding size by subtracting the digest size and encoding overhead from the RSA modulus size. The affected function emsa_pkcs1_v1_5_encode() performs this calculation using integer arithmetic vulnerable to CWE-190 (Integer Overflow or Wraparound). When an attacker provides an RSA key with an abnormally small modulus (smaller than the required digest plus encoding fields), the subtraction wraps around to produce a massive unsigned integer. This overflowed value is then passed directly to memset() to fill padding bytes with 0xFF, causing unbounded memory corruption that crashes the TEE. The vulnerability only manifests on platforms that register RSA hardware acceleration drivers with OP-TEE, as software-only implementations follow different code paths.
RemediationAI
Upgrade OP-TEE OS to version 4.11.0 or later, which contains the fix for the integer overflow in emsa_pkcs1_v1_5_encode(). The patch is available through the OP-TEE GitHub repository and detailed in advisory GHSA-4cf8-v5g3-73gr at https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr. Organizations unable to immediately upgrade should implement input validation at the trusted application layer to reject RSA keys with modulus sizes smaller than the minimum required for the intended hash algorithm plus encoding overhead (for example, RSA keys smaller than 512 bits should be rejected for SHA-256 signatures). As a temporary mitigation, disable hardware RSA acceleration in OP-TEE build configuration and fall back to software RSA implementation, though this reduces cryptographic performance. Note that this workaround only prevents exploitation if the RSA acceleration driver can be cleanly disabled without breaking dependencies in trusted applications. Verify that crash recovery procedures do not leak secure-world memory contents through core dumps or debug interfaces.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25592