CVE-2026-40257
Received Received - Intake

Heap Overflow in OP-TEE Due to SHA-3 Crypto Extensions

Vulnerability report for CVE-2026-40257, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.21.0 and prior to version 4.11.0, the ARM Crypto Extensions accelerated SHA-3 implementation has an off-by-one error that can cause a massive heap overflow that corrupts all TEE kernel memory following the hash state. This affects all platforms built with `CFG_CRYPTO_WITH_CE82=y` (ARMv8.2+ with SHA3 Crypto Extensions). Version 4.11.0 contains a patch. As a workaround, disable SHA3 Crypto Extensions with `CFG_CRYPTO_WITH_CE82=n`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
op-tee op-tee to 4.11.0 (exc)
op-tee op-tee 4.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40257 is a heap overflow vulnerability in the SHA-3 accelerated finalize function of OP-TEE, a trusted execution environment for ARM Cortex-A cores using TrustZone technology.

The issue is caused by an off-by-one error in the ARM Crypto Extensions implementation, specifically in the sha3_process() function where a comparison operator is incorrect. This error causes a full block of input data to bypass hardware compression, leaving an internal byte index at the block size.

When finalizing the hash digest, this leads to an incorrect calculation of padding length due to an unsigned integer underflow, resulting in a massive heap overflow (around 4 GB) that corrupts all TEE kernel memory following the hash state.

The vulnerability affects all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ with SHA3 Crypto Extensions).

Exploitation is trivial, requiring only two standard GP TEE API calls, and results in a guaranteed denial-of-service (kernel crash) without needing special permissions or key material.

The fix involves correcting the comparison operator and adding sanity checks in the finalization functions. A workaround is to disable SHA3 Crypto Extensions by setting CFG_CRYPTO_WITH_CE82=n.

Impact Analysis

This vulnerability can cause a massive heap overflow in the OP-TEE kernel memory, leading to corruption of all TEE kernel memory following the hash state.

The primary impact is a guaranteed denial-of-service condition, causing the trusted execution environment kernel to crash.

Exploitation is trivial and does not require special permissions or key material, making it easy for an attacker to disrupt system availability.

There is no impact on confidentiality or integrity, but the availability of the system is severely affected.

Detection Guidance

This vulnerability is a heap overflow in the SHA-3 accelerated finalize function of OP-TEE, triggered by specific usage of the ARM Crypto Extensions. Detection involves checking if your OP-TEE build is configured with SHA3 Crypto Extensions enabled (CFG_CRYPTO_WITH_CE82=y) and monitoring for kernel crashes or denial-of-service symptoms caused by the heap overflow.

Since exploitation requires only two standard GP TEE API calls, observing unusual or repeated TEE kernel crashes related to SHA-3 operations can indicate the presence of this vulnerability.

To check the build configuration, you can inspect the OP-TEE build configuration file or kernel config for the CFG_CRYPTO_WITH_CE82 setting.

  • Check if SHA3 Crypto Extensions are enabled: grep CFG_CRYPTO_WITH_CE82 /path/to/optee/build/config
  • Monitor kernel logs for crashes related to TEE or SHA-3: dmesg | grep -i tee
  • Use system logs to detect repeated TEE kernel crashes or denial-of-service events.
Mitigation Strategies

The immediate mitigation is to disable the SHA3 Crypto Extensions in your OP-TEE build by setting CFG_CRYPTO_WITH_CE82 to 'n'. This prevents the vulnerable code path from being used.

Additionally, update OP-TEE to version 4.11.0 or later, which contains the patch fixing the off-by-one error and adding sanity checks to prevent the heap overflow.

  • Set CFG_CRYPTO_WITH_CE82=n in your OP-TEE build configuration.
  • Rebuild and redeploy OP-TEE with the updated configuration.
  • Upgrade OP-TEE to version 4.11.0 or newer where the vulnerability is patched.
Compliance Impact

The vulnerability in OP-TEE's SHA-3 accelerated finalize function causes a massive heap overflow leading to a denial-of-service (kernel crash) without affecting confidentiality or integrity of data.

Since the vulnerability does not result in loss of confidentiality or integrity, it is unlikely to directly impact compliance with data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, the availability impact (denial-of-service) could affect system reliability and uptime, which may have indirect implications depending on the specific regulatory requirements for system availability and resilience.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart