Impact
The vulnerability arises in the RSA‑OAEP decryption routine of the NXP CAAM crypto driver used by OP‑TEE OS. The driver performs label‑hash comparison using a non‑constant‑time memcmp and exposes distinct error paths for each failure case. This behavior creates a Manager‑style padding oracle that an attacker can exploit to recover the original plaintext of an RSA‑OAEP encrypted message with roughly 1 000–2 000 chosen‑ciphertext queries, compromising confidentiality. The weakness corresponds to CWE‑208 – Information Exposure Through an Improperly Controlled Exception.
Affected Systems
OP‑TEE OS is affected in every release from 3.9.0 up to but not including 4.11.0. The fix was introduced in version 4.11.0, restoring constant‑time comparison and removing the error‑path leakage. All deployments that use the NXP CAAM RSA driver in these affected versions are at risk.
Risk and Exploitability
The CVSS score of 2.5 indicates low overall severity, and the EPSS score is currently unavailable, suggesting no widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to interact with the NXP CAAM driver—typically on the same device or via the operating system that invokes OP‑TEE—to provide chosen ciphertexts. The requirement for adaptive chosen‑ciphertext queries limits the likelihood of successful exploitation in uncontrolled environments, yet the confidentiality impact makes it important to address as soon as possible.
OpenCVE Enrichment