Skip to main content

OP-TEE OS EUVDEUVD-2026-41911

| CVE-2026-44362 MEDIUM
Improper Authorization (CWE-285)
2026-07-06 GitHub_M
5.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.5 MEDIUM

Local access with low privilege needed to reach the TA loader; integrity-only impact (rollback bypass); scope unchanged as compromise stays within the TEE loading subsystem.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jul 06, 2026 - 21:16 EUVD
Analysis Generated
Jul 06, 2026 - 20:11 vuln.today
CVE Published
Jul 06, 2026 - 19:33 cve.org
MEDIUM 5.5

DescriptionCVE.org

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback protection allows the use of revoked or older subkey versions because the system fails to propagate versioning data during the Trusted Application (TA) loading process. In core/crypto/signed_hdr.c, the function shdr_load_pub_key() parses subkey headers but does not assign the subkey_version to the runtime shdr_pub_key structure. As a result, the key->version field remains at zero regardless of the version specified in the header. When ree_fs_ta_open() in core/kernel/ree_fs_ta.c calls check_update_version(), it passes this zeroed version to the rollback database. Because the database never receives a non-zero version to record, it never advances, effectively bypassing the rollback check and allowing TAs signed with downgraded subkey chains to load successfully. This impacts OP-TEE mainline configurations that utilize subkey-based signing chains for Trusted Application (TA) authentication. Version 4.11.0 contains a patch. No known workarounds are available.

AnalysisAI

Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing field assignment in the Trusted Application loading pipeline, allowing revoked or downgraded subkeys to authenticate TAs without detection. A locally authenticated attacker who can supply TA binaries to the REE filesystem loader can bypass the entire key-chain revocation model, loading previously invalidated trusted code into the TrustZone secure world. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local authenticated access to device
Delivery
Acquire TA binary signed with revoked subkey
Exploit
Submit TA to ree_fs_ta_open() loader
Execution
shdr_load_pub_key() drops subkey_version, key->version stays zero
Persist
check_update_version() passes rollback check unconditionally
Impact
Revoked TA loaded into TrustZone secure world

Vulnerability AssessmentAI

Exploitation Exploitation requires local authenticated access (PR:L per CVSS vector) with the ability to present a TA binary to the REE filesystem TA loader (`ree_fs_ta_open()`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N accurately reflects real-world risk: exploitation requires local authenticated access with no network-facing attack surface and no confidentiality or availability impact, yielding a base score of 5.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A locally authenticated attacker on an OP-TEE-enabled device running versions 3.20.0-4.10.x obtains or crafts a TA binary signed with a previously revoked or older-version subkey - for instance, a key deliberately revoked after a prior TA compromise. The attacker submits this TA through the normal `ree_fs_ta_open()` loading path; because `shdr_load_pub_key()` silently drops `subkey_version` and `key->version` stays zero, `check_update_version()` passes the rollback check unconditionally, and the TEE loads the unauthorized TA into the TrustZone secure world. …
Remediation Upgrade to OP-TEE OS version 4.11.0, which contains the vendor-confirmed patch correcting `shdr_load_pub_key()` to properly assign `subkey_version` to the runtime `shdr_pub_key` structure before `check_update_version()` is invoked. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy