CVE-2026-41515
Received Received - Intake

RSA-OAEP Padding Oracle in OP-TEE NXP CAAM Driver

Vulnerability report for CVE-2026-41515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.9.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the NXP CAAM crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Version 4.11.0 contains a patch. As a workaround, disable the NXP CAAM RSA driver with `CFG_CRYPTO_DRV_RSA=n`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nxp caam_crypto_driver From 3.9.0 (inc) to 4.11.0 (exc)
nxp caam_crypto_driver 4.11.0
op-tee op-tee_os From 3.9.0 (inc)
op-tee op-tee_os 4.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing a local attacker with access to the affected system to recover plaintext data encrypted with RSA-OAEP by exploiting timing differences in the decryption process.

Because the attack requires approximately 1000-2000 adaptive chosen ciphertext queries and local access with high attack complexity, the risk is considered low but still significant for sensitive cryptographic operations.

Successful exploitation could lead to exposure of sensitive encrypted information processed by the NXP CAAM crypto driver on affected OP-TEE platforms.

Executive Summary

CVE-2026-41515 is a vulnerability in the NXP CAAM crypto driver within the OP-TEE OS, affecting versions 3.9.0 up to but not including 4.11.0. The issue arises from the RSA-OAEP decryption implementation using a non-constant-time memcmp() function for label hash verification and having multiple distinguishable error paths.

This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext by submitting approximately 1000-2000 adaptive chosen ciphertext queries and analyzing timing differences in the responses.

The vulnerability is due to three distinguishable failure modes in the OAEP unpadding routine: a timing-leaking hash comparison, a padding scan loop with variable execution time, and an early return for missing separators. These allow an attacker to differentiate error conditions and recover plaintext.

Detection Guidance

This vulnerability can be detected by observing the behavior of the RSA-OAEP decryption interface in the NXP CAAM crypto driver on affected OP-TEE OS versions (3.9.0 up to but not including 4.11.0). Specifically, detection involves monitoring for timing differences and distinguishable error responses during RSA-OAEP decryption operations.

Since the vulnerability is a Manger-style padding oracle caused by non-constant-time memcmp() and multiple error paths, detection requires adaptive chosen ciphertext queries to the TEE RSA-OAEP decryption interface and analyzing the timing and error response patterns.

There are no explicit commands provided in the resources to detect this vulnerability directly on your system or network.

Mitigation Strategies

The immediate mitigation step is to disable the NXP CAAM RSA driver by setting the configuration option CFG_CRYPTO_DRV_RSA=n.

Additionally, upgrading to OP-TEE OS version 4.11.0 or later is recommended, as this version contains a patch that fixes the vulnerability by replacing memcmp() with a constant-time comparison function, removing early-exit loops, and consolidating error handling to eliminate timing variations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart