CVE-2026-45702: OP-TEE Type Confusion Vulnerability in FFA_MEM_SHARE Processing
OP-TEE, a security-focused component running on Arm processors, contains a type confusion flaw when handling memory-sharing requests from the normal operating system. The vulnerability only affects specific OP-TEE configurations used to manage secure applications (when both SPMC mode and secure partition features are enabled). An attacker with high system privileges can trigger a denial of service, though the flaw does not expose sensitive data or allow code execution. Upgrading to OP-TEE version 4.11.0 or later resolves the issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-843
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45702 is a type confusion vulnerability in OP-TEE OS that emerges during processing of FFA_MEM_SHARE requests originating from the rich operating system. The flaw is specific to deployments where OP-TEE operates as a Secure Partition Manager Controller (SPMC) for S-EL0 secure partitions, requiring both CFG_CORE_SEL1_SPMC and CFG_SECURE_PARTITION configuration flags to be enabled. The type confusion occurs when the TEE misinterprets or mishandles the memory region attributes or type information embedded in the FFA call, leading to improper memory state management. While the vulnerability does not permit information disclosure or privilege escalation across security boundaries, it can be weaponized to cause service disruption through resource exhaustion or incorrect state transitions within the secure domain. Affected versions span from 4.3.0 through 4.10.x; version 4.11.0 introduces corrected type handling logic.
Business impact
Organizations deploying OP-TEE as a foundational security component in Arm-based systems—particularly in IoT, embedded devices, automotive platforms, or edge computing environments—face availability risk. A high-privileged attacker can induce denial of service, causing the trusted execution environment to become unresponsive or enter an invalid state, which may cascade into broader system instability or require manual intervention and reboots. This is especially concerning in production environments where TEE availability underpins security-critical functions such as cryptographic key management, secure boot validation, or attestation services. The risk is moderate because exploitation requires high privilege level and the impact is availability-focused rather than confidentiality or integrity-focused.
Affected systems
OP-TEE versions 4.3.0 through 4.10.x are vulnerable when configured with both CFG_CORE_SEL1_SPMC=y (enabling SPMC mode) and CFG_SECURE_PARTITION=y (enabling secure partitions). Systems using OP-TEE in simpler configurations—such as single-TEE deployments without secure partition support—are not affected. The vulnerability is specific to Arm Cortex-A processors using TrustZone technology. Vulnerability is not present in OP-TEE 4.11.0 and later versions. Verify your build configuration and version against the TrustedFirmware OP-TEE release notes to determine exposure.
Exploitability
Exploitation requires an attacker to possess high privilege level on the normal world operating system (e.g., root or kernel-level access). This significantly constrains the threat; the attacker must already have gained substantial system access before they can abuse this flaw. The attack itself is straightforward—crafting a malformed FFA_MEM_SHARE request—but triggering it in a production environment requires prior compromise. The vulnerability is not known to be exploited in the wild and has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Remote exploitation is not feasible; the attack surface is limited to local authenticated users or privileged processes.
Remediation
Organizations should update OP-TEE to version 4.11.0 or a later release. Prior to updating, audit your current OP-TEE deployment to confirm the presence of both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y build flags; if neither flag is set, your system is not vulnerable. For systems unable to update immediately, restrict system access to trusted administrative users and monitor for anomalous TEE behavior. Test the update in a non-production environment first, as TEE updates may require secure boot or firmware re-provisioning procedures specific to your platform.
Patch guidance
Patch availability: OP-TEE 4.11.0 and later contain the fix. To apply: (1) obtain the latest OP-TEE source or binary release from the TrustedFirmware project; (2) verify that both CFG_CORE_SEL1_SPMC and CFG_SECURE_PARTITION flags are present in your build configuration to confirm you were vulnerable; (3) rebuild OP-TEE or update the TEE binary in your firmware image according to your platform's secure boot and firmware update procedures; (4) re-provision secure boot keys if required by your device; (5) validate TEE functionality post-update (e.g., verify attestation, key provisioning, and secure partition startup). Consult your platform vendor's integration guide and TrustedFirmware release notes for build and deployment specifics.
Detection guidance
Identify vulnerable instances by: (1) Checking OP-TEE version via tee-supplicant logs, OP-TEE initialization output, or firmware version commands; (2) Confirming build configuration by examining OP-TEE source tree or consulting your platform firmware documentation for CFG_CORE_SEL1_SPMC and CFG_SECURE_PARTITION flags; (3) Monitoring TEE logs and system logs for unexpected TEE failures, state corruption messages, or restart cycles correlating with memory-sharing operations; (4) Testing: in a controlled lab environment, analyze FFA call handling with instrumented OP-TEE or TEE-aware debuggers to confirm the type confusion is present before patching. Runtime detection of active exploitation is challenging because the impact manifests as a crash or state error rather than a suspicious network connection or file activity.
Why prioritize this
This vulnerability should be prioritized based on your deployment model. If your infrastructure includes Arm-based devices running OP-TEE in SPMC + secure partition mode (common in advanced IoT, automotive, or confidential computing platforms), schedule patching within your regular security update cycle—aim for 60–90 days. If you run simpler OP-TEE configurations without SPMC and secure partitions, deprioritize this flaw and focus on other exposure. The CVSS 4.4 (Medium) score reflects limited exploitability (high privilege required) and availability-only impact; however, the criticality of TEE availability in security-sensitive systems means business context should override raw score when making patch decisions.
Risk score, explained
The CVSS 3.1 score of 4.4 (MEDIUM) reflects: Attack Vector = Local (AV:L) because exploitation requires prior access to the system; Privilege Required = High (PR:H) because only high-privileged processes can craft FFA_MEM_SHARE requests; User Interaction = None (UI:N) because no user action is needed; Scope = Unchanged (S:U) meaning the impact does not cross security boundaries; Confidentiality = None (C:N) because data exposure does not occur; Integrity = None (I:N) because data corruption is not a direct outcome; Availability = High (A:H) because the TEE can become unresponsive. The moderate score accurately reflects that while availability impact is significant, the high barrier to exploitation (requiring high privilege) limits the overall risk in well-segmented systems.
Frequently asked questions
Does this vulnerability affect OP-TEE if we don't use secure partitions?
No. This flaw only manifests when OP-TEE is built with both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y enabled. Simpler deployments that run a single TEE without a secure partition manager are not affected. Check your build configuration to confirm.
Can this be exploited remotely over the network?
No. The vulnerability requires an attacker to already have high-privilege local access (root or kernel level) on the normal world operating system. It cannot be triggered from a remote network connection or by an unprivileged user. The threat model is insider or post-breach scenarios.
Will updating OP-TEE break our existing secure applications?
Verify against your platform vendor's release notes and OP-TEE changelog. OP-TEE 4.11.0 is generally backward-compatible with secure partitions built for earlier 4.x versions, but firmware update procedures vary by device. Always test updates in a lab environment first and ensure your secure boot and key provisioning workflows are in place.
How do we know if we're running a vulnerable OP-TEE version?
Check your device firmware or OP-TEE initialization logs to confirm the version number. Versions 4.3.0 through 4.10.x are vulnerable. Also verify that your build includes both CFG_CORE_SEL1_SPMC and CFG_SECURE_PARTITION flags; consult your platform vendor's documentation or examine OP-TEE source if available. Version 4.11.0 and later are patched.
This analysis is provided for informational purposes to assist with vulnerability assessment and patch planning. The vulnerability details, affected versions, and remediation steps described herein are based on publicly available information from the TrustedFirmware project and CVE record as of the publication date. Organizations should verify patch versions, build configurations, and platform-specific update procedures against the official TrustedFirmware OP-TEE release notes and their device vendor's security advisories before taking remedial action. SEC.co makes no warranty regarding the accuracy of version numbers, patch availability, or the completeness of affected system coverage; responsibility for validating environmental applicability rests with the deploying organization. This information does not constitute legal, technical, or professional advice. Testing in isolated environments before production deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10702MEDIUMFirefox JIT Compiler Miscompilation DoS Vulnerability
- CVE-2026-44640MEDIUMNanoMQ Type Confusion in QUIC Connection Handling
- CVE-2026-10022HIGHChrome V8 Type Confusion Vulnerability in Extensions
- CVE-2026-10910HIGHType Confusion in Chrome V8 Engine – Arbitrary Code Execution
- CVE-2026-10935HIGHChrome V8 Type Confusion Remote Code Execution (CVSS 8.8)
- CVE-2026-10936HIGHType Confusion in Chrome V8 Engine – Remote Code Execution
- CVE-2026-10955HIGHType Confusion in Chrome ANGLE on Windows – Critical Patch Required
- CVE-2026-10962HIGHType Confusion in Chrome Media Handling – Code Execution Risk