Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the correct curve. By passing approximately 30-40 crafted public keys to OP-TEE, the private key can be reconstructed by a normal world attacker. When calling TEE_DeriveKey the public key is provided with full X and Y values, but the (X, Y) point might not satisfy the `Y^2 == X^3 + aX + b mod P` math for the specific curve that is used. When those public keys aren't rejected, the attacker can select public keys such that each DeriveKey call will leak `d % r` where `d` is the private key and `r` comes from the relationship between the correct curve and the attacker selected curve. With enough leaked data the Chinese remainder theorem can be used to recover the full private key. Version 4.11.0 fixes the issue.
Published: 2026-06-03
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OP-TEE OS, a Trusted Execution Environment for ARM platforms, contains a flaw in its Elliptic Curve Diffie–Hellman (ECDH) key‑derivation routine. A public key supplied to TEE_DeriveKey is not checked to be a valid point on the expected elliptic curve. When an attacker supplies approximately 30–40 specially crafted points, each DeriveKey call leaks partial information about the internal key. Repeating the process and applying the Chinese remainder theorem enables the attacker to recover the entire private key that stores cryptographic material for the secure world. This issue is rooted in CWE-347, which denotes false or incomplete input validation.

Affected Systems

The vulnerability affects OP-TEE OS versions earlier than 4.11.0. The patch in v4.11.0 adds proper point validation for all supported curves. All builds of the official OP-TEE repository before that release are vulnerable; custom or forked builds lacking the fix are also impacted.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate risk. EPSS data is not available, and the flaw is not listed in CISA’s KEV catalog. Attackers must be able to invoke the TEE_DeriveKey API from the normal world, which typically requires local access to the device. The vulnerability requires multiple interactions with the API—approximately 30–40 calls—to accumulate enough leaked data before the private key can be reconstructed. Based on the description, it is inferred that a local attacker on the same hardware can exploit this path, but a remote attacker without device access is unlikely to succeed.

Generated by OpenCVE AI on June 3, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OP-TEE OS to version 4.11.0 or later, which implements point validation during ECDH operations.
  • Verify that any custom or forked OP-TEE builds include the patched logic and have not reintroduced the validation flaw.
  • Restrict the TEE_DeriveKey interface to trusted kernel components, limiting normal‑world access and reducing the attack surface.

Generated by OpenCVE AI on June 3, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Trustedfirmware
Trustedfirmware op-tee
CPEs cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:* cpe:2.3:o:trustedfirmware:op-tee:*:*:*:*:*:*:*:*
Vendors & Products Linaro
Linaro op-tee
Trustedfirmware
Trustedfirmware op-tee

Fri, 05 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Op-tee
Op-tee op-tee Os
Vendors & Products Op-tee
Op-tee op-tee Os

Fri, 05 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Linaro
Linaro op-tee
CPEs cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:*
Vendors & Products Linaro
Linaro op-tee

Wed, 03 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the correct curve. By passing approximately 30-40 crafted public keys to OP-TEE, the private key can be reconstructed by a normal world attacker. When calling TEE_DeriveKey the public key is provided with full X and Y values, but the (X, Y) point might not satisfy the `Y^2 == X^3 + aX + b mod P` math for the specific curve that is used. When those public keys aren't rejected, the attacker can select public keys such that each DeriveKey call will leak `d % r` where `d` is the private key and `r` comes from the relationship between the correct curve and the attacker selected curve. With enough leaked data the Chinese remainder theorem can be used to recover the full private key. Version 4.11.0 fixes the issue.
Title OP-TEE vulnerable to ECDH private key recovery
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Op-tee Op-tee Os
Trustedfirmware Op-tee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T19:29:26.527Z

Reserved: 2026-05-12T20:31:43.448Z

Link: CVE-2026-45614

cve-icon Vulnrichment

Updated: 2026-06-03T19:28:48.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T19:16:38.510

Modified: 2026-06-05T20:21:19.797

Link: CVE-2026-45614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T08:30:24Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature