Skip to main content

OP-TEE OS EUVDEUVD-2026-34160

| CVE-2026-45702 MEDIUM
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-06-03 GitHub_M
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 03, 2026 - 20:01 EUVD
Analysis Generated
Jun 03, 2026 - 19:16 vuln.today

DescriptionGitHub Advisory

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y. Version 4.11.0 fixes the issue.

AnalysisAI

Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.

Technical ContextAI

OP-TEE OS (cpe:2.3:a:op-tee:optee_os:*:*:*:*:*:*:*:*) is an open-source Trusted Execution Environment that runs in the Arm TrustZone secure world alongside a normal-world Linux kernel on Cortex-A processors. The Firmware Framework for Arm (FF-A / FFA) defines a standardized ABI for communication between the normal world, hypervisors, and Secure Partitions (SPs). FFA_MEM_SHARE is an FF-A call used to share memory regions between worlds. When OP-TEE is built as an S-EL1 Secure Partition Manager Core (SPMC) - enabled by CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y - it takes on responsibility for managing S-EL0 Secure Partitions and arbitrating memory-sharing operations. The root cause is CWE-843 (Type Confusion): the SPMC code path that handles incoming FFA_MEM_SHARE descriptors from the normal world incorrectly resolves the type of an object during processing, leading to an operation on mismatched memory structures. This class of vulnerability typically manifests as an invalid memory access or assertion failure, consistent with the CVSS availability-only impact (A:H, C:N, I:N).

RemediationAI

Upgrade to OP-TEE OS version 4.11.0, which contains the authoritative fix per the upstream GitHub Security Advisory (GHSA-86pj-8xgw-66p5) at https://github.com/OP-TEE/optee_os/security/advisories/GHSA-86pj-8xgw-66p5. If an immediate upgrade to 4.11.0 is not feasible, a targeted compensating control is to rebuild OP-TEE without CFG_CORE_SEL1_SPMC=y or CFG_SECURE_PARTITION=y; this eliminates the vulnerable code path entirely but disables S-EL0 Secure Partition support, which may break workloads that depend on S-EL0 SPs such as certain FF-A-based trusted applications. A second option is to restrict which normal-world callers can issue FFA_MEM_SHARE calls through OS-level privilege controls, reducing the attack surface while preserving functionality - though this is a hardening measure and not a fix for the underlying type confusion.

Share

EUVD-2026-34160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy