CVE-2026-44362
Received Received - Intake

Subkey Rollback Bypass in OP-TEE Trusted Applications

Vulnerability report for CVE-2026-44362, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback protection allows the use of revoked or older subkey versions because the system fails to propagate versioning data during the Trusted Application (TA) loading process. In `core/crypto/signed_hdr.c`, the function `shdr_load_pub_key()` parses subkey headers but does not assign the `subkey_version` to the runtime `shdr_pub_key` structure. As a result, the `key->version` field remains at zero regardless of the version specified in the header. When `ree_fs_ta_open()` in `core/kernel/ree_fs_ta.c` calls `check_update_version()`, it passes this zeroed version to the rollback database. Because the database never receives a non-zero version to record, it never advances, effectively bypassing the rollback check and allowing TAs signed with downgraded subkey chains to load successfully. This impacts OP-TEE mainline configurations that utilize subkey-based signing chains for Trusted Application (TA) authentication. Version 4.11.0 contains a patch. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
op-tee op-tee to 4.11.0 (exc)
op-tee op-tee 4.11.0
op-tee op-tee From 4.11.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44362 is a vulnerability in OP-TEE's subkey rollback protection mechanism that allows bypassing security checks by using older or revoked subkey versions.

The issue occurs because the system fails to properly propagate versioning data during the loading of Trusted Applications (TAs). Specifically, in the function shdr_load_pub_key() in core/crypto/signed_hdr.c, the subkey_version is not assigned to the runtime shdr_pub_key structure, leaving the key->version field at zero.

This zeroed version is then passed to the rollback database via check_update_version(), preventing the database from advancing and effectively disabling rollback checks. As a result, TAs signed with downgraded or revoked subkey chains can still be loaded, enabling downgrade attacks.

The vulnerability affects OP-TEE versions 3.20.0 and later, with a patch available in version 4.11.0 and above.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass rollback protection and load Trusted Applications (TAs) signed with older, revoked, or weaker subkey versions.

This undermines the integrity of the system's trust chain, potentially allowing malicious or compromised TAs to run with elevated trust.

The severity is rated as Moderate with a CVSS score of 5.5, requiring low attack complexity and minimal privileges.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OP-TEE to version 4.11.0 or later, where the patch addressing the subkey rollback protection issue has been applied.

No known workarounds are available, so applying the official patch or upgrading is the recommended immediate action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart