Skip to main content

OP-TEE OS EUVDEUVD-2026-41906

| CVE-2026-41515 LOW
Observable Timing Discrepancy (CWE-208)
2026-07-06 GitHub_M
3.3
CVSS 3.1 · NVD

Severity by source

Vendor (GitHub_M) PRIMARY
LOW
qualitative
NVD
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
2.5 LOW

Local vector (AV:L) and low privileges (PR:L) confirmed by TEE client invocation requirement; AC:H due to ~1,000-2,000 adaptive queries needed; C:L as only target RSA-OAEP plaintext is recoverable, no integrity or availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 07, 2026 - 19:07 NVD
2.5 (LOW) 3.3 (LOW)
Patch available
Jul 06, 2026 - 21:16 EUVD
Analysis Generated
Jul 06, 2026 - 20:06 vuln.today

DescriptionNVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.9.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the NXP CAAM crypto driver uses non-constant-time memcmp() for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Version 4.11.0 contains a patch. As a workaround, disable the NXP CAAM RSA driver with CFG_CRYPTO_DRV_RSA=n.

AnalysisAI

RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege access to NXP CAAM device
Delivery
Invoke RSA-OAEP decryption via TEE client API
Exploit
Submit adaptive chosen-ciphertext queries iteratively
Execution
Observe distinguishable error paths or memcmp() timing leakage
Persist
Apply Manger algorithm to narrow plaintext space
Impact
Recover RSA-OAEP plaintext

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) physical or logical local access to a device running OP-TEE on an NXP SoC that includes a CAAM hardware accelerator; (2) OP-TEE compiled with CFG_CRYPTO_DRV_RSA=y (the CAAM RSA driver enabled - this may be the default on NXP platforms but is a non-universal build-time choice); (3) low-privilege credentials sufficient to invoke RSA-OAEP decryption operations through the TEE client interface; and (4) the ability to submit approximately 1,000-2,000 adaptive chosen-ciphertext queries without triggering rate limiting or anomaly detection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 2.5 base score faithfully reflects constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low-privilege access on an NXP CAAM-equipped device running OP-TEE 3.9.0-4.10.x invokes the TEE client API to submit approximately 1,000-2,000 adaptively crafted RSA-OAEP ciphertexts, observing the distinguishable error responses or timing side-channel emitted by the non-constant-time memcmp() label hash comparison. By iteratively refining the query set using the Manger algorithm, the attacker statistically recovers the target RSA-OAEP plaintext without knowledge of the private key. …
Remediation Upgrade to OP-TEE OS version 4.11.0, which contains the vendor-confirmed fix for this padding oracle, as documented in the GitHub security advisory at https://github.com/OP-TEE/optee_os/security/advisories/GHSA-5q45-58r5-cq4g. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy