Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y. Version 4.11.0 fixes the issue.
AnalysisAI
Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.
Technical ContextAI
OP-TEE OS (cpe:2.3:a:op-tee:optee_os:*:*:*:*:*:*:*:*) is an open-source Trusted Execution Environment that runs in the Arm TrustZone secure world alongside a normal-world Linux kernel on Cortex-A processors. The Firmware Framework for Arm (FF-A / FFA) defines a standardized ABI for communication between the normal world, hypervisors, and Secure Partitions (SPs). FFA_MEM_SHARE is an FF-A call used to share memory regions between worlds. When OP-TEE is built as an S-EL1 Secure Partition Manager Core (SPMC) - enabled by CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y - it takes on responsibility for managing S-EL0 Secure Partitions and arbitrating memory-sharing operations. The root cause is CWE-843 (Type Confusion): the SPMC code path that handles incoming FFA_MEM_SHARE descriptors from the normal world incorrectly resolves the type of an object during processing, leading to an operation on mismatched memory structures. This class of vulnerability typically manifests as an invalid memory access or assertion failure, consistent with the CVSS availability-only impact (A:H, C:N, I:N).
RemediationAI
Upgrade to OP-TEE OS version 4.11.0, which contains the authoritative fix per the upstream GitHub Security Advisory (GHSA-86pj-8xgw-66p5) at https://github.com/OP-TEE/optee_os/security/advisories/GHSA-86pj-8xgw-66p5. If an immediate upgrade to 4.11.0 is not feasible, a targeted compensating control is to rebuild OP-TEE without CFG_CORE_SEL1_SPMC=y or CFG_SECURE_PARTITION=y; this eliminates the vulnerable code path entirely but disables S-EL0 Secure Partition support, which may break workloads that depend on S-EL0 SPs such as certain FF-A-based trusted applications. A second option is to restrict which normal-world callers can issue FFA_MEM_SHARE calls through OS-level privilege controls, reducing the attack surface while preserving functionality - though this is a hardening measure and not a fix for the underlying type confusion.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34160