CVE-2026-41434
Undergoing Analysis Undergoing Analysis - In Progress

Unbounded Recursion in OP-TEE PKCS#11 Trusted Application

Vulnerability report for CVE-2026-41434, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.10.0 and prior to version 4.11.0, an unbounded recursion can crash the PKCS#11 TA. Version 4.11.0 contains a patch. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
op-tee op-tee From 3.10.0 (inc) to 4.11.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41434 is a vulnerability in the OP-TEE PKCS#11 Trusted Application (TA) that allows an attacker in the Normal World to crash the TA by causing unbounded recursion.

The issue happens when the PKCS#11 TA processes a deeply nested CKA_WRAP_TEMPLATE attribute in a C_FindObjectsInit command, with around 80 levels of nesting.

Each recursion level consumes about 100-130 bytes of the TA's limited 8KB stack, leading to a stack overflow that writes past the stack boundary into a read-only guard page, triggering a data-abort and causing the OP-TEE core to terminate the TA.

Because the TA uses the TA_FLAG_SINGLE_INSTANCE flag, a single crash kills all active PKCS#11 sessions.

The vulnerability was fixed by limiting recursion depth to a maximum of 5 in relevant functions, and patched in OP-TEE versions 4.11.0 and later.

Impact Analysis

The primary impact of this vulnerability is reduced availability of the OP-TEE PKCS#11 Trusted Application.

An attacker can repeatedly crash the TA by exploiting the unbounded recursion, causing denial of service to all active PKCS#11 sessions since the TA runs as a single instance.

This can disrupt services relying on the Trusted Execution Environment for cryptographic operations, potentially affecting system stability and availability.

Detection Guidance

This vulnerability manifests as a crash of the OP-TEE PKCS#11 Trusted Application (TA) due to unbounded recursion triggered by processing a deeply nested CKA_WRAP_TEMPLATE attribute in a C_FindObjectsInit command.

Detection involves monitoring for repeated crashes or termination of the PKCS#11 TA, especially after C_OpenSession() calls that involve deeply nested attribute templates.

No specific detection commands are provided in the available information.

Mitigation Strategies

The vulnerability was fixed in OP-TEE version 4.11.0 by adding a recursion depth limit to relevant functions.

Immediate mitigation steps include upgrading OP-TEE to version 4.11.0 or later where the patch is applied.

No known workarounds are available, so patching is the recommended action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart