CVE-2026-40290
Received Received - Intake
Use-After-Free in OP-TEE Trusted Execution Environment

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-40290
EUVD
EUVD-2026-34139
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
op-tee op-tee 4.11.0
op-tee op-tee to 4.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-40290 is a high-severity Use-After-Free (UAF) race condition vulnerability in OP-TEE, a Trusted Execution Environment for Arm Cortex-A cores using TrustZone technology. It occurs when OP-TEE is configured as an SPMC for S-EL0 secure partitions. The vulnerability exists in the shared memory teardown logic of the Firmware Framework for Arm (FF-A), specifically in the function sp_mem_remove(). This function frees memory entries without acquiring the necessary global lock, sp_mem_lock, leading to a race condition.

Because other functions like sp_mem_get_receiver() and sp_mem_is_shared() access the same memory lists without proper synchronization, a thread can end up dereferencing memory that has already been freed by another thread. This results in a Use-After-Free condition, which can cause memory corruption or information leakage within the secure world.

The vulnerability is triggered by FF-A calls such as FFA_MEM_RELINQUISH, FFA_MEM_RECLAIM, FFA_MEM_SHARE, or FFA_MEM_LEND. The issue was fixed by ensuring sp_mem_remove() holds the sp_mem_lock during memory deallocation and by protecting all list iterators.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in OP-TEE can lead to memory corruption or information leakage in the secure world, impacting confidentiality, integrity, and availability. Such impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly state how this vulnerability directly affects compliance with these specific standards or regulations.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including memory corruption and information leakage within the secure world of OP-TEE. Because it affects confidentiality, integrity, and availability, an attacker exploiting this flaw could potentially access sensitive data, alter secure operations, or cause denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is a Use-After-Free race condition in the OP-TEE trusted execution environment, specifically in the shared memory teardown logic of FF-A when OP-TEE is configured as an SPMC for S-EL0 secure partitions.

Detection involves monitoring for abnormal behavior or crashes related to FF-A calls such as FFA_MEM_RELINQUISH, FFA_MEM_RECLAIM, FFA_MEM_SHARE, or FFA_MEM_LEND, which trigger the vulnerability.

Since the issue is in the OP-TEE OS internals, detection commands would typically involve checking the OP-TEE version to see if it is between 3.16.0 and prior to 4.11.0, and reviewing logs or traces for memory corruption or crashes related to shared memory operations.

No specific detection commands are provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OP-TEE to version 4.11.0 or later, where the vulnerability has been fixed by ensuring the sp_mem_remove() function holds the global sp_mem_lock during memory deallocation.

If upgrading is not immediately possible, consider disabling the configuration option CFG_SECURE_PARTITION=y to avoid running OP-TEE as an SPMC for S-EL0 secure partitions, thereby avoiding the vulnerable code path.

Additionally, monitor and restrict FF-A calls such as FFA_MEM_RELINQUISH, FFA_MEM_RECLAIM, FFA_MEM_SHARE, or FFA_MEM_LEND to reduce the risk of triggering the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart