Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.
Published: 2026-06-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in OP‑TEE’s FF‑A shared‑memory teardown allows a thread to free an object while another thread is still iterating over it. This use‑after‑free flaw (CWE‑416) can enable an to trigger undefined behaviour that may lead to arbitrary code execution or data corruption in the trusted execution environment. Compromise of the secure world could result in severe confidentiality, integrity, and availability impacts for all services relying on OP‑TEE.

Affected Systems

The vulnerability affects OP‑TEE OP‑TEE OS. Versions from 3.16.0 up to (but not including) 4.11.0 are vulnerable when the kernel is compiled with `CFG_SECURE_PARTITION=y` to run as an SPMC for S‑EL0 secure partitions. The fix is included in version 4.11.0 and later.

Risk and Exploitability

The CVSS score of 7.8 denotes high severity. EPSS is not available, so the public exploitation probability is unknown, but the lack of a KEV listing suggests no mass exploitation is currently known. The race requires concurrent execution in a system configured as an SPMC, so an attacker would need to invoke multiple trusted‑partition interactions or corrupt the internal state of a privileged SP to trigger the condition.

Generated by OpenCVE AI on June 3, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OP‑TEE to version 4.11.0 or later, which protects sp_mem_remove() by acquiring sp_mem_lock before freeing memory.
  • If an upgrade is not possible, disable the SPMC configuration by setting CFG_SECURE_PARTITION=n, unless S‑EL0 SP support is required.
  • For environments that must remain on vulnerable OP‑TEE versions, limit the number of concurrent S‑EL0 secure partitions and isolate untrusted secure partitions from each other to reduce the chance of the race condition occurring.

Generated by OpenCVE AI on June 3, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Trustedfirmware
Trustedfirmware op-tee
CPEs cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:* cpe:2.3:o:trustedfirmware:op-tee:*:*:*:*:*:*:*:*
Vendors & Products Linaro
Linaro op-tee
Trustedfirmware
Trustedfirmware op-tee

Fri, 05 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Op-tee
Op-tee op-tee Os
Vendors & Products Op-tee
Op-tee op-tee Os

Thu, 04 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Linaro
Linaro op-tee
CPEs cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:*
Vendors & Products Linaro
Linaro op-tee

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.
Title OP-TEE has a Use-After-Free race in FF-A shared-memory teardown
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Op-tee Op-tee Os
Trustedfirmware Op-tee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T14:18:01.010Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40290

cve-icon Vulnrichment

Updated: 2026-06-04T14:17:38.062Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:23.707

Modified: 2026-06-05T20:20:54.780

Link: CVE-2026-40290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T08:30:24Z

Weaknesses