CVE-2026-41516
Received Received - Intake

RSA PKCS#1 v1.5 Padding Oracle in OP-TEE

Vulnerability report for CVE-2026-41516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Bleichenbacher-style padding oracle that allows an attacker to recover RSA PKCS#1 v1.5 plaintext. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
hisilicon hpre_crypto_driver From 4.5.0 (inc) to 4.11.0 (exc)
op-tee op-tee From 4.5.0 (inc) to 4.11.0 (exc)
op-tee op-tee 4.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41516 is a padding oracle vulnerability in the Hisilicon HPRE PKCS#1 v1.5 decryption implementation within the OP-TEE OS. The issue arises because the RSA PKCS#1 v1.5 decryption function uses non-constant-time operations, specifically a non-constant-time memcmp() for label hash verification and multiple distinguishable error paths.

These flaws create a Bleichenbacher-style padding oracle, allowing an attacker to recover RSA PKCS#1 v1.5 plaintext by exploiting timing differences in decryption responses.

The vulnerable function has three early-exit paths that leak information about the padding and header bytes, which an attacker can use to recover encrypted plaintext through approximately 1,000-2,000 decryption requests.

This vulnerability affects OP-TEE Core versions 4.5.0 up to but not including 4.11.0 on the Hisilicon platform with the HPRE RSA driver enabled.

Impact Analysis

This vulnerability can impact you by allowing an attacker with local access to the Trusted Execution Environment (TEE) interface to recover plaintext data encrypted with RSA PKCS#1 v1.5 on affected Hisilicon platforms.

The attacker exploits timing differences in the decryption process to perform a padding oracle attack, potentially compromising the confidentiality of sensitive data.

However, the severity is rated as low due to the requirement for local access, high attack complexity, and limited confidentiality impact.

Detection Guidance

This vulnerability is related to the Hisilicon HPRE PKCS#1 v1.5 decryption implementation within the OP-TEE OS, specifically affecting versions 4.5.0 up to but not including 4.11.0. Detection involves verifying the OP-TEE Core version and configuration on the affected platform.

You can check the OP-TEE OS version running on your system to determine if it falls within the vulnerable range (4.5.0 to before 4.11.0). Additionally, verify if the Hisilicon HPRE RSA driver is enabled with the configuration CFG_HISILICON_ACC_V3=y, as the vulnerability only affects this configuration.

Since the vulnerability is a timing side-channel in the RSA decryption function, direct network detection commands are not applicable. Instead, detection is primarily through system inspection.

  • Check OP-TEE OS version: `strings /path/to/optee_os | grep VERSION` or check build metadata.
  • Check kernel configuration for Hisilicon HPRE RSA driver: `grep CFG_HISILICON_ACC_V3 /path/to/optee/config` or inspect build config files.
  • Review platform information to confirm if it is the plat-d06 platform, which is affected.
Mitigation Strategies

The immediate mitigation step is to disable the Hisilicon HPRE RSA driver by setting the configuration option CFG_HISILICON_ACC_V3 to 'n'. This disables the vulnerable driver and prevents exploitation of the Bleichenbacher-style padding oracle.

Alternatively, upgrade OP-TEE OS to version 4.11.0 or later, where the vulnerability has been patched by rewriting the RSA PKCS#1 v1.5 decryption function to use constant-time operations and eliminate early exit paths.

  • Disable Hisilicon HPRE RSA driver: set `CFG_HISILICON_ACC_V3=n` in the OP-TEE build configuration.
  • Upgrade OP-TEE OS to version 4.11.0 or newer.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart