CVE-2026-45702
Type Confusion in OP-TEE OS via FFA_MEM_SHARE Request
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| op-tee | op-tee_os | From 4.3.0 (inc) to 4.11.0 (exc) |
| op-tee | op-tee_os | to 4.11.0 (exc) |
| op-tee | op-tee_os | 4.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45702 is a type confusion vulnerability in OP-TEE OS, which is a Trusted Execution Environment designed to work alongside a non-secure Linux kernel on Arm Cortex-A cores using TrustZone technology.
This vulnerability occurs when OP-TEE is configured as an SPMC for S-EL0 secure partitions with specific configuration options enabled (CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y).
The issue arises during the processing of an FFA_MEM_SHARE request from the normal world, where a dynamically allocated buffer is incorrectly treated as a different data structure pointer. This allows the normal world to control the address that OP-TEE reads, potentially causing a kernel panic in the secure world.
How can this vulnerability impact me? :
This vulnerability allows an attacker with EL1 normal world privileges to cause a kernel panic in the OP-TEE secure world (S-EL1), effectively crashing it.
Such a crash disrupts the normal world hypervisor and other guest operating systems running on the platform, leading to denial of service.
The impact is primarily on availability, with a CVSS score reflecting moderate severity due to the potential for service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs specifically when OP-TEE OS is configured with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y enabled, and it involves processing an FFA_MEM_SHARE request from the normal world.
Detection would involve verifying the OP-TEE OS configuration to check if these options are enabled and monitoring for kernel panics or crashes in the secure world (S-EL1) that could indicate exploitation attempts.
No specific detection commands or network-based detection methods are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OP-TEE OS to version 4.11.0 or later, where this vulnerability is fixed.
Alternatively, if upgrading is not immediately possible, ensure that OP-TEE OS is not configured with both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y enabled, or deny memory sharing with S-EL0 secure partitions using dynamically allocated buffers to prevent the type confusion issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.