Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Bleichenbacher-style padding oracle that allows an attacker to recover RSA PKCS#1 v1.5 plaintext. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.
Published: 2026-07-06
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Bleichenbacher‑style padding oracle discovered in the Hisilicon HPRE crypto driver of OP‑TEE’s Trusted Execution Environment. The driver’s RSA PKCS#1 v1.5 decryption routine uses a non‑constant‑time memcmp() to verify a label hash, and the routine contains multiple distinguishable error paths. An attacker can exploit these leakages to recover the plaintext of RSA‑encrypted data that uses PKCS#1 v1.5 padding, thereby compromising data confidentiality.

Affected Systems

The flaw affects OP‑TEE version numbers 4.5.0 through 4.10.x in devices that enable the Hisilicon HPRE crypto driver. The affected code resides in the OP‑TEE open‑source OS, commonly run on ARM Cortex‑A cores with TrustZone support. A patch was introduced in version 4.11.0 to eliminate the timing side channel and consolidate error handling, and a workaround is to disable the driver by setting CFG_HISILICON_ACC_V3=n.

Risk and Exploitability

The CVSS 2.5 indicates low overall severity; the vulnerability is not listed in CISA KEV, and the EPSS score is < 1%, suggesting limited exploitation data. The nature of the flaw implies that a local or remote attacker with the capability to invoke the absent RSA decryption routine in the trusted environment would need to observe the observable error paths to conduct a successful padding oracle attack. While the attack surface is constrained to systems that load the Hisilicon HPRE RSA driver, the impact of successfully decrypting sensitive data is significant, potentially exposing secrets stored or processed within the trusted domain.

Generated by OpenCVE AI on July 10, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OP‑TEE to release 4.11.0 or later, which removes the non‑constant‑time comparison and consolidates error handling in the HPRE crypto driver
  • If an upgrade is not immediately possible, enable the configuration option to disable the Hisilicon HPRE RSA driver by setting CFG_HISILICON_ACC_V3=n in the OP‑TEE configuration
  • Apply the vendor‑specified workaround before the next upgrade to prevent the padding oracle from being exploitable

Generated by OpenCVE AI on July 10, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Op-tee
Op-tee op-tee Os
Vendors & Products Op-tee
Op-tee op-tee Os

Mon, 06 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Bleichenbacher-style padding oracle that allows an attacker to recover RSA PKCS#1 v1.5 plaintext. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.
Title OP-TEE: Hisilicon HPRE PKCS#1 v1.5 Decryption Padding Oracle
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Op-tee Op-tee Os
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-06T19:47:57.871Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41516

cve-icon Vulnrichment

Updated: 2026-07-06T19:47:54.270Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:00:06Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy