CVE-2026-45614 Overview
OP-TEE is a Trusted Execution Environment (TEE) that runs alongside a non-secure Linux kernel on Arm Cortex-A cores using TrustZone technology. CVE-2026-45614 is an improper signature verification flaw [CWE-347] affecting OP-TEE versions prior to 4.11.0. The Elliptic Curve Diffie-Hellman (ECDH) shared secret paths fail to validate that the supplied public key lies on the expected curve. A local attacker in the normal world can submit crafted public keys to TEE_DeriveKey and reconstruct the private key held in the secure world. Version 4.11.0 resolves the issue by enforcing curve point validation.
Critical Impact
A local low-privileged attacker can recover ECDH private keys from OP-TEE secure world by issuing roughly 30 to 40 invalid-curve queries to TEE_DeriveKey.
Affected Products
- OP-TEE OS versions prior to 4.11.0
- Arm Cortex-A devices using TrustZone with vulnerable OP-TEE builds
- Trusted Applications relying on ECDH key agreement in OP-TEE
Discovery Timeline
- 2026-06-03 - CVE-2026-45614 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45614
Vulnerability Analysis
The flaw is an invalid-curve attack against ECDH key derivation inside OP-TEE. When a Trusted Application calls TEE_DeriveKey, the caller supplies an attacker-controlled public key as full X and Y coordinates. OP-TEE accepts the point without verifying that it satisfies the curve equation Y^2 == X^3 + aX + b mod P for the configured curve.
Because the point is not validated, the scalar multiplication operates on a point that actually lies on a different curve, one chosen by the attacker. That alternate curve can be selected to contain subgroups of small order r. Each TEE_DeriveKey call leaks d mod r, where d is the secure-world private key. After collecting residues from approximately 30 to 40 crafted public keys, the attacker applies the Chinese Remainder Theorem to recover the full private key.
Root Cause
The ECDH implementation in OP-TEE accepts caller-supplied (X, Y) coordinates without checking membership on the configured curve. Missing point validation in the shared secret paths permits scalar multiplication on hostile curves and constitutes the improper signature/key verification weakness tracked as [CWE-347].
Attack Vector
Exploitation requires local access with the ability to invoke TEE client APIs from the normal world. The attacker repeatedly calls TEE_DeriveKey with public keys constructed on auxiliary curves sharing the same a, b, and prime parameters but containing small-order subgroups. Each invocation yields a partial residue of the private scalar. After enough residues are collected, the attacker reconstructs d offline using CRT. No user interaction is required, and the attack does not impact integrity or availability, only confidentiality of the private key.
No public proof-of-concept code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-45614
Indicators of Compromise
- High-frequency invocations of TEE_DeriveKey from a single normal-world client targeting the same ECDH key handle
- Trusted Application logs showing repeated key agreement calls with varying public key inputs over short intervals
- Anomalous CA (Client Application) processes interacting with TEE supplicant APIs outside expected workflows
Detection Strategies
- Audit OP-TEE build versions across device fleets and flag any image reporting a version earlier than 4.11.0
- Instrument Trusted Applications to log ECDH peer public key parameters and alert on points that fail curve validation
- Correlate normal-world process telemetry with TEE invocation counts to detect brute-force style key-derivation patterns
Monitoring Recommendations
- Centralize OP-TEE and kernel logs into a SIEM and create rules for repeated TEE_DeriveKey failures or sequential invocations from one PID
- Monitor firmware and OS update channels for OP-TEE 4.11.0 rollout status across embedded fleets
- Track local privilege boundaries: only trusted CAs should reach the TEE client API on production devices
How to Mitigate CVE-2026-45614
Immediate Actions Required
- Upgrade OP-TEE OS to version 4.11.0 or later on all affected Arm Cortex-A TrustZone devices
- Rotate any ECDH private keys provisioned in the secure world that were reachable through TEE_DeriveKey on vulnerable builds
- Restrict access to TEE client interfaces so only authorized normal-world processes can invoke key derivation
Patch Information
OP-TEE version 4.11.0 fixes the vulnerability by validating that supplied public key points lie on the configured curve before scalar multiplication. Vendors shipping firmware based on OP-TEE must rebuild and redistribute device images that incorporate the fix. Refer to the OP-TEE GHSA-g6qf-hwf7-mg9h advisory for commit references.
Workarounds
- Modify vulnerable Trusted Applications to perform explicit on-curve validation of peer public keys before calling TEE_DeriveKey
- Reject ECDH operations where the supplied (X, Y) point does not satisfy Y^2 == X^3 + aX + b mod P for the configured curve
- Limit the rate of ECDH key derivation calls per client to impede residue collection while patches are rolled out
# Verify installed OP-TEE OS version on a target device
strings /path/to/tee.bin | grep -i "OP-TEE"
# Expected output should report version 4.11.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
