CVE-2026-45702 Overview
CVE-2026-45702 is a type confusion vulnerability [CWE-843] in OP-TEE OS, the open-source Trusted Execution Environment (TEE) for Arm Cortex-A cores using TrustZone. The flaw resides in the handling of FFA_MEM_SHARE requests originating from the normal world. It affects OP-TEE OS versions 4.3.0 through 4.10.x when the build is configured as a Secure Partition Manager Core (SPMC) for S-EL0 Secure Partitions, specifically with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y. A local attacker with high privileges in the normal world can trigger the condition to cause a denial of service in the secure world. Version 4.11.0 contains the fix.
Critical Impact
A privileged local actor in the non-secure world can issue a crafted FFA_MEM_SHARE call that causes type confusion inside the SPMC, leading to availability loss of the Trusted Execution Environment.
Affected Products
- OP-TEE OS versions 4.3.0 through 4.10.x
- Builds configured with CFG_CORE_SEL1_SPMC=y
- Builds configured with CFG_SECURE_PARTITION=y hosting S-EL0 Secure Partitions
Discovery Timeline
- 2026-06-03 - CVE-2026-45702 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45702
Vulnerability Analysis
OP-TEE OS implements the Arm Firmware Framework for A-profile (FF-A) to mediate communication and memory sharing between the normal world (Linux) and Secure Partitions running at S-EL0. When acting as the SPMC at S-EL1, OP-TEE receives FFA_MEM_SHARE calls that describe a memory region the normal world wants to share with a Secure Partition.
The vulnerability is a type confusion [CWE-843] in the parsing of the FFA_MEM_SHARE descriptor. The SPMC interprets attacker-supplied data as a different structure or object type than was actually provided. This mismatch causes incorrect field interpretation inside the secure world and undermines memory-sharing invariants.
Exploitation requires local access and high privileges in the non-secure OS, which limits the threat to actors who already control a privileged context in Linux. Confidentiality and integrity are not impacted, but the secure world can be brought into an inconsistent state that results in denial of service.
Root Cause
The SPMC processes the FFA_MEM_SHARE request without correctly validating the type or structure of the descriptor supplied by the normal world. Subsequent code paths operate on the data assuming a different layout, producing a type confusion condition. This pattern is characteristic of CWE-843, where the same memory is accessed using incompatible type assumptions.
Attack Vector
An attacker executing privileged code in the normal-world Linux kernel issues a crafted FFA_MEM_SHARE SMC call to OP-TEE. The malformed descriptor triggers the type confusion inside the SPMC during validation or transfer of the shared memory region. The impact is confined to availability of the secure world on builds that use OP-TEE as an S-EL0 SPMC. Full technical details are published in the GitHub Security Advisory.
No public proof-of-concept code is available, and the advisory does not include sanitized exploitation code. The vulnerability is described in prose only in the upstream advisory.
Detection Methods for CVE-2026-45702
Indicators of Compromise
- Unexpected resets, panics, or aborts reported by OP-TEE in kernel logs (tee, optee, or ffa subsystem messages).
- Repeated FFA_MEM_SHARE SMC calls with malformed descriptors originating from non-standard kernel modules.
- Loss of availability of services backed by Secure Partitions following normal-world activity by privileged processes.
Detection Strategies
- Inventory devices to identify OP-TEE builds compiled with CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y between versions 4.3.0 and 4.10.x.
- Audit kernel modules and drivers that issue FF-A calls and validate that descriptor construction conforms to the FF-A specification.
- Correlate TEE crash telemetry with the calling process identity to surface privileged callers triggering SPMC faults.
Monitoring Recommendations
- Forward kernel ring-buffer events related to OP-TEE and FF-A to a central log store for retention and analysis.
- Alert on repeated TEE restart events on production fleets running affected configurations.
- Track installed OP-TEE versions across embedded and edge device fleets to confirm rollout of 4.11.0.
How to Mitigate CVE-2026-45702
Immediate Actions Required
- Upgrade OP-TEE OS to version 4.11.0 or later on all devices configured as an S-EL0 SPMC.
- For devices that cannot be patched immediately, restrict which non-secure-world processes can load kernel modules that issue FF-A calls.
- Review build configurations and disable CFG_SECURE_PARTITION on systems that do not require S-EL0 Secure Partitions.
Patch Information
The maintainers fixed the issue in OP-TEE OS 4.11.0. Refer to the OP-TEE GitHub Security Advisory GHSA-86pj-8xgw-66p5 for the corrected commit and remediation guidance. Vendors shipping firmware that embeds OP-TEE should rebuild and redistribute updated images to affected devices.
Workarounds
- Rebuild OP-TEE without CFG_CORE_SEL1_SPMC=y if the SPMC role is not required on the target device.
- Limit normal-world root and kernel-level access through standard Linux hardening and signed-module enforcement to reduce the population of actors meeting the high-privilege precondition.
- Monitor for and respond to repeated TEE faults that may indicate exploitation attempts until a patched build is deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
