CVE-2026-45702
Analyzed Analyzed - Analysis Complete
Type Confusion in OP-TEE OS via FFA_MEM_SHARE Request

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-45702
EUVD
EUVD-2026-34160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
trustedfirmware op-tee From 4.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45702 is a type confusion vulnerability in OP-TEE OS, which is a Trusted Execution Environment designed to work alongside a non-secure Linux kernel on Arm Cortex-A cores using TrustZone technology.

This vulnerability occurs when OP-TEE is configured as an SPMC for S-EL0 secure partitions with specific configuration options enabled (CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y).

The issue arises during the processing of an FFA_MEM_SHARE request from the normal world, where a dynamically allocated buffer is incorrectly treated as a different data structure pointer. This allows the normal world to control the address that OP-TEE reads, potentially causing a kernel panic in the secure world.

Impact Analysis

This vulnerability allows an attacker with EL1 normal world privileges to cause a kernel panic in the OP-TEE secure world (S-EL1), effectively crashing it.

Such a crash disrupts the normal world hypervisor and other guest operating systems running on the platform, leading to denial of service.

The impact is primarily on availability, with a CVSS score reflecting moderate severity due to the potential for service disruption.

Detection Guidance

This vulnerability occurs specifically when OP-TEE OS is configured with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y enabled, and it involves processing an FFA_MEM_SHARE request from the normal world.

Detection would involve verifying the OP-TEE OS configuration to check if these options are enabled and monitoring for kernel panics or crashes in the secure world (S-EL1) that could indicate exploitation attempts.

No specific detection commands or network-based detection methods are provided in the available information.

Mitigation Strategies

The immediate mitigation step is to upgrade OP-TEE OS to version 4.11.0 or later, where this vulnerability is fixed.

Alternatively, if upgrading is not immediately possible, ensure that OP-TEE OS is not configured with both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y enabled, or deny memory sharing with S-EL0 secure partitions using dynamically allocated buffers to prevent the type confusion issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart