Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.9.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the NXP CAAM crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Version 4.11.0 contains a patch. As a workaround, disable the NXP CAAM RSA driver with `CFG_CRYPTO_DRV_RSA=n`.
Published: 2026-07-06
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the RSA‑OAEP decryption routine of the NXP CAAM crypto driver used by OP‑TEE OS. The driver performs label‑hash comparison using a non‑constant‑time memcmp and exposes distinct error paths for each failure case. This behavior creates a Manager‑style padding oracle that an attacker can exploit to recover the original plaintext of an RSA‑OAEP encrypted message with roughly 1 000–2 000 chosen‑ciphertext queries, compromising confidentiality. The weakness corresponds to CWE‑208 – Information Exposure Through an Improperly Controlled Exception.

Affected Systems

OP‑TEE OS is affected in every release from 3.9.0 up to but not including 4.11.0. The fix was introduced in version 4.11.0, restoring constant‑time comparison and removing the error‑path leakage. All deployments that use the NXP CAAM RSA driver in these affected versions are at risk.

Risk and Exploitability

The CVSS score of 2.5 indicates low overall severity, and the EPSS score is currently unavailable, suggesting no widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to interact with the NXP CAAM driver—typically on the same device or via the operating system that invokes OP‑TEE—to provide chosen ciphertexts. The requirement for adaptive chosen‑ciphertext queries limits the likelihood of successful exploitation in uncontrolled environments, yet the confidentiality impact makes it important to address as soon as possible.

Generated by OpenCVE AI on July 7, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OP‑TEE OS to version 4.11.0 or later to apply the vendor patch.
  • If an upgrade is not currently possible, disable the NXP CAAM RSA driver by setting CFG_CRYPTO_DRV_RSA=n in the build configuration.
  • Restrict or remove any trusted applications that perform RSA‑OAEP decryption using the CAAM driver until the issue is resolved.

Generated by OpenCVE AI on July 7, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Op-tee
Op-tee op-tee Os
Vendors & Products Op-tee
Op-tee op-tee Os

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.9.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the NXP CAAM crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Version 4.11.0 contains a patch. As a workaround, disable the NXP CAAM RSA driver with `CFG_CRYPTO_DRV_RSA=n`.
Title OP-TEE: RSA-OAEP padding oracle in NXP CAAM driver enables plaintext recovery
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Op-tee Op-tee Os
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T14:09:30.230Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41515

cve-icon Vulnrichment

Updated: 2026-07-07T14:09:26.867Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:45:03Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy