Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.
Published: 2026-04-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Disclosure
Action: Apply Patch
AI Analysis

Impact

The bug is an out‑of‑bounds read and write in the PKCS#11 Trusted Application of OP‑TEE, originating from missing bounds checks in the function `entry_get_attribute_value()` in `ta/pkcs11/src/object.c`. The flaw permits a malicious client to supply a malformed attribute template that causes the TA to read up to seven bytes beyond the end of the template buffer and then to copy those extra bytes back into the template buffer. This can expose sensitive data stored within the Trusted Execution Environment or corrupt the TA’s memory, potentially leading to a crash.

Affected Systems

Affected versions are OP‑TEE OS 3.13.0 through 4.10.0. The vulnerability was fixed by commits e031c4e5, 16926d5a, and 149e8d7e, which are expected to appear in release 4.11.0. All built OP‑TEE images that include the PKCS#11 TA in this version range are impacted, regardless of vendor or deployment.

Risk and Exploitability

The CVSS score is 8.7, and the EPSS score is below 1 % with no listing in the CISA KEV catalog. An attacker must be able to invoke the PKCS#11 interface on the TEE; a crafted command using `PKCS11_CMD_GET_ATTRIBUTE_VALUE` is sufficient to exploit the overflow. Because the read/write is limited to a handful of bytes, exploitation may be subtle, but the data revealed can be highly confidential. The risk is therefore high for confidentiality and availability, and the low EPSS implies that exploitation is currently unlikely but still possible, especially in environments that expose the PKCS#11 API widely.

Generated by OpenCVE AI on April 28, 2026 at 07:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OP-TEE OS to version 4.11.0 or later and rebuild the PKCS#11 Trusted Application to apply the official fixes
  • Reinstall the updated OP-TEE image on all devices to ensure the vulnerable TA is replaced
  • Restrict access to the PKCS#11 interface on the Trusted Execution Environment, allowing only trusted applications or users to invoke PKCS#11 commands

Generated by OpenCVE AI on April 28, 2026 at 07:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Op-tee
Op-tee op-tee Os
Vendors & Products Op-tee
Op-tee op-tee Os

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Linaro
Linaro op-tee
CPEs cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:*
Vendors & Products Linaro
Linaro op-tee

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.
Title OP-TEE: PKCS#11 TA out-of-bounds read and memory disclosure
Weaknesses CWE-125
CWE-787
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Linaro Op-tee
Op-tee Op-tee Os
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:18:04.912Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33317

cve-icon Vulnrichment

Updated: 2026-04-24T17:20:10.513Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:11.020

Modified: 2026-04-27T14:50:13.087

Link: CVE-2026-33317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses