Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Local-only attack requiring TEE client API access (AV:L, PR:L); crash of PKCS#11 TA yields limited availability impact only, no data exposure or integrity change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.10.0 and prior to version 4.11.0, an unbounded recursion can crash the PKCS#11 TA. Version 4.11.0 contains a patch. No known workarounds are available.
AnalysisAI
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the system with at least low-privilege credentials (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.3 (Low) accurately reflects the constrained blast radius: the attack vector is Local (AV:L), complexity is Low (AC:L), privileges required are Low (PR:L), and impact is limited to Availability:Low with no confidentiality or integrity components. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with standard (non-root) privileges on the Linux host calls the TEE client API to interact with the PKCS#11 TA and sends a specially crafted request that triggers unbounded recursive processing within the TA. The recursion exhausts the TA's fixed secure-world stack, causing a crash and rendering the PKCS#11 TA unavailable. … |
| Remediation | Upgrade optee_os to version 4.11.0, which contains the patch for this vulnerability as confirmed by the GitHub Security Advisory GHSA-wh38-23ff-grff (https://github.com/OP-TEE/optee_os/security/advisories/GHSA-wh38-23ff-grff). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing fie
Heap overflow in OP-TEE's ARM Crypto Extensions SHA-3 implementation corrupts TEE kernel memory across all platforms bui
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single op
Heap exhaustion in OP-TEE OS (versions 3.3.0 through 4.10.x) allows a low-privileged normal-world local caller to progre
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon H
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM ha
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41893