Source: optee-os Version: 4.10.0-2 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for optee-os. CVE-2026-40257[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.21.0 and | prior to version 4.11.0, the ARM Crypto Extensions accelerated SHA-3 | implementation has an off-by-one error that can cause a massive heap | overflow that corrupts all TEE kernel memory following the hash | state. This affects all platforms built with | `CFG_CRYPTO_WITH_CE82=y` (ARMv8.2+ with SHA3 Crypto Extensions). | Version 4.11.0 contains a patch. As a workaround, disable SHA3 | Crypto Extensions with `CFG_CRYPTO_WITH_CE82=n`. CVE-2026-41434[1]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.10.0 and | prior to version 4.11.0, an unbounded recursion can crash the | PKCS#11 TA. Version 4.11.0 contains a patch. No known workarounds | are available. CVE-2026-41514[2]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 4.5.0 and | prior to version 4.11.0, the RSA-OAEP decryption implementation in | the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` | for label hash verification and has multiple distinguishable error | paths. This creates a Manger-style padding oracle that allows an | attacker to recover RSA-OAEP plaintext with approximately 1000-2000 | adaptive chosen ciphertext queries. Only affects plat-d06 with | `CFG_HISILICON_ACC_V3=y`, which seems to be disabled by default. | Version 4.11.0 contains a patch. As a workaround, disable Hisilicon | HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`. CVE-2026-41515[3]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.9.0 and | prior to version 4.11.0, the RSA-OAEP decryption implementation in | the NXP CAAM crypto driver uses non-constant-time `memcmp()` for | label hash verification and has multiple distinguishable error | paths. This creates a Manger-style padding oracle that allows an | attacker to recover RSA-OAEP plaintext with approximately 1000-2000 | adaptive chosen ciphertext queries. Version 4.11.0 contains a patch. | As a workaround, disable the NXP CAAM RSA driver with | `CFG_CRYPTO_DRV_RSA=n`. CVE-2026-41516[4]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 4.5.0 and | prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption | implementation in the Hisilicon HPRE crypto driver uses non- | constant-time `memcmp()` for label hash verification and has | multiple distinguishable error paths. This creates a Bleichenbacher- | style padding oracle that allows an attacker to recover RSA PKCS#1 | v1.5 plaintext. Version 4.11.0 contains a patch. As a workaround, | disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`. CVE-2026-42546[5]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.3.0 and | prior to version 4.11.0, a resource leak exists in OP-TEE’s shared | memory cleanup logic because the function `cleanup_shm_refs()` in | `core/tee/entry_std.c` fails to apply a required bitmask | (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. When | processing non-contiguous memory parameters from a normal-world | caller, the system fails to match the attribute type in its internal | switch statement and skips the necessary mobj_put() call. This | results in a persistent reference leak of `mobj_reg_shm` objects, | which remain on internal lists with dangling refcounts. This affects | non-FF-A configurations that support non-contiguous, non-secure | shared memory. Over time, these accumulated leaks progressively | consume the secure-world heap, degrading the system's ability to | service trusted application operations and eventually requiring a | reboot to recover. Version 4.11.0 contains a patch. No known | workarounds are available. CVE-2026-44362[6]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.20.0 and | prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback | protection allows the use of revoked or older subkey versions | because the system fails to propagate versioning data during the | Trusted Application (TA) loading process. In | `core/crypto/signed_hdr.c`, the function `shdr_load_pub_key()` | parses subkey headers but does not assign the `subkey_version` to | the runtime `shdr_pub_key` structure. As a result, the | `key->version` field remains at zero regardless of the version | specified in the header. When `ree_fs_ta_open()` in | `core/kernel/ree_fs_ta.c` calls `check_update_version()`, it passes | this zeroed version to the rollback database. Because the database | never receives a non-zero version to record, it never advances, | effectively bypassing the rollback check and allowing TAs signed | with downgraded subkey chains to load successfully. This impacts OP- | TEE mainline configurations that utilize subkey-based signing chains | for Trusted Application (TA) authentication. Version 4.11.0 contains | a patch. No known workarounds are available. CVE-2026-53763[7]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.0.0 and | prior to version 4.11.0, 32-bit integer overflows in OP-TEE core's | AES-GCM implementation cause the authentication tag to be computed | with incorrect bit-length values after processing more than 512 | megabytes of payload or Additional Authenticated Data (AAD). Version | 4.11.0 contains a patch. No known workarounds are available. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-40257 https://www.cve.org/CVERecord?id=CVE-2026-40257 [1] https://security-tracker.debian.org/tracker/CVE-2026-41434 https://www.cve.org/CVERecord?id=CVE-2026-41434 [2] https://security-tracker.debian.org/tracker/CVE-2026-41514 https://www.cve.org/CVERecord?id=CVE-2026-41514 [3] https://security-tracker.debian.org/tracker/CVE-2026-41515 https://www.cve.org/CVERecord?id=CVE-2026-41515 [4] https://security-tracker.debian.org/tracker/CVE-2026-41516 https://www.cve.org/CVERecord?id=CVE-2026-41516 [5] https://security-tracker.debian.org/tracker/CVE-2026-42546 https://www.cve.org/CVERecord?id=CVE-2026-42546 [6] https://security-tracker.debian.org/tracker/CVE-2026-44362 https://www.cve.org/CVERecord?id=CVE-2026-44362 [7] https://security-tracker.debian.org/tracker/CVE-2026-53763 https://www.cve.org/CVERecord?id=CVE-2026-53763 Regards, Salvatore

