Source: optee-os
Version: 4.10.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for optee-os.

CVE-2026-40257[0]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.21.0 and
| prior to version 4.11.0, the ARM Crypto Extensions accelerated SHA-3
| implementation has an off-by-one error that can cause a massive heap
| overflow that corrupts all TEE kernel memory following the hash
| state. This affects all platforms built with
| `CFG_CRYPTO_WITH_CE82=y` (ARMv8.2+ with SHA3 Crypto Extensions).
| Version 4.11.0 contains a patch. As a workaround, disable SHA3
| Crypto Extensions with `CFG_CRYPTO_WITH_CE82=n`.


CVE-2026-41434[1]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.10.0 and
| prior to version 4.11.0, an unbounded recursion can crash the
| PKCS#11 TA. Version 4.11.0 contains a patch. No known workarounds
| are available.


CVE-2026-41514[2]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 4.5.0 and
| prior to version 4.11.0, the RSA-OAEP decryption implementation in
| the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()`
| for label hash verification and has multiple distinguishable error
| paths. This creates a Manger-style padding oracle that allows an
| attacker to recover RSA-OAEP plaintext with approximately 1000-2000
| adaptive chosen ciphertext queries. Only affects plat-d06 with
| `CFG_HISILICON_ACC_V3=y`, which seems to be disabled by default.
| Version 4.11.0 contains a patch. As a workaround, disable Hisilicon
| HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.


CVE-2026-41515[3]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.9.0 and
| prior to version 4.11.0, the RSA-OAEP decryption implementation in
| the NXP CAAM crypto driver uses non-constant-time `memcmp()` for
| label hash verification and has multiple distinguishable error
| paths. This creates a Manger-style padding oracle that allows an
| attacker to recover RSA-OAEP plaintext with approximately 1000-2000
| adaptive chosen ciphertext queries. Version 4.11.0 contains a patch.
| As a workaround, disable the NXP CAAM RSA driver with
| `CFG_CRYPTO_DRV_RSA=n`.


CVE-2026-41516[4]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 4.5.0 and
| prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption
| implementation in the Hisilicon HPRE crypto driver uses non-
| constant-time `memcmp()` for label hash verification and has
| multiple distinguishable error paths. This creates a Bleichenbacher-
| style padding oracle that allows an attacker to recover RSA PKCS#1
| v1.5  plaintext. Version 4.11.0 contains a patch. As a workaround,
| disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.


CVE-2026-42546[5]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.3.0 and
| prior to version 4.11.0, a resource leak exists in OP-TEE’s shared
| memory cleanup logic because the function `cleanup_shm_refs()` in
| `core/tee/entry_std.c`  fails to apply a required bitmask
| (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. When
| processing non-contiguous memory parameters from a normal-world
| caller, the system fails to match the attribute type in its internal
| switch statement and skips the necessary mobj_put() call. This
| results in a persistent reference leak of `mobj_reg_shm` objects,
| which remain on internal lists with dangling refcounts. This affects
| non-FF-A configurations that support non-contiguous, non-secure
| shared memory. Over time, these accumulated leaks progressively
| consume the secure-world heap, degrading the system's ability to
| service trusted application operations and eventually requiring a
| reboot to recover. Version 4.11.0 contains a patch. No known
| workarounds are available.


CVE-2026-44362[6]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.20.0 and
| prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback
| protection allows the use of revoked or older subkey versions
| because the system fails to propagate versioning data during the
| Trusted Application (TA) loading process. In
| `core/crypto/signed_hdr.c`, the function `shdr_load_pub_key()`
| parses subkey headers but does not assign the `subkey_version` to
| the runtime `shdr_pub_key` structure. As a result, the
| `key->version` field remains at zero regardless of the version
| specified in the header. When `ree_fs_ta_open()` in
| `core/kernel/ree_fs_ta.c` calls `check_update_version()`, it passes
| this zeroed version to the rollback database. Because the database
| never receives a non-zero version to record, it never advances,
| effectively bypassing the rollback check and allowing TAs signed
| with downgraded subkey chains to load successfully. This impacts OP-
| TEE mainline configurations that utilize subkey-based signing chains
| for Trusted Application (TA) authentication. Version 4.11.0 contains
| a patch. No known workarounds are available.


CVE-2026-53763[7]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. Starting in version 3.0.0 and
| prior to version 4.11.0, 32-bit integer overflows in OP-TEE core's
| AES-GCM implementation cause the authentication tag to be computed
| with incorrect bit-length values after processing more than 512
| megabytes of payload or Additional Authenticated Data (AAD). Version
| 4.11.0 contains a patch. No known workarounds are available.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40257
    https://www.cve.org/CVERecord?id=CVE-2026-40257
[1] https://security-tracker.debian.org/tracker/CVE-2026-41434
    https://www.cve.org/CVERecord?id=CVE-2026-41434
[2] https://security-tracker.debian.org/tracker/CVE-2026-41514
    https://www.cve.org/CVERecord?id=CVE-2026-41514
[3] https://security-tracker.debian.org/tracker/CVE-2026-41515
    https://www.cve.org/CVERecord?id=CVE-2026-41515
[4] https://security-tracker.debian.org/tracker/CVE-2026-41516
    https://www.cve.org/CVERecord?id=CVE-2026-41516
[5] https://security-tracker.debian.org/tracker/CVE-2026-42546
    https://www.cve.org/CVERecord?id=CVE-2026-42546
[6] https://security-tracker.debian.org/tracker/CVE-2026-44362
    https://www.cve.org/CVERecord?id=CVE-2026-44362
[7] https://security-tracker.debian.org/tracker/CVE-2026-53763
    https://www.cve.org/CVERecord?id=CVE-2026-53763

Regards,
Salvatore

Reply via email to