CVE-2026-41514 in OP-TEEinfo

Summary

by MITRE • 07/06/2026

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Only affects plat-d06 with `CFG_HISILICON_ACC_V3=y`, which seems to be disabled by default. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability resides within the OP-TEE Trusted Execution Environment implementation specifically affecting the Hisilicon HPRE crypto driver version 4.5.0 through 4.10.0. This flaw impacts devices utilizing Arm Cortex-A cores with TrustZone technology, where the cryptographic operations are processed within a secure environment separate from the main Linux kernel. The vulnerability manifests in the RSA-OAEP decryption implementation which employs non-constant-time comparison functions during label hash verification processes, creating a timing-based side-channel attack vector that violates fundamental security principles of cryptographic implementations.

The core technical flaw involves the use of standard `memcmp()` function for comparing label hashes rather than constant-time comparison methods. This approach exposes distinguishable error paths that can be exploited through adaptive chosen ciphertext attacks. The Manger-style padding oracle vulnerability arises because different error conditions during decryption reveal information about the validity of the padding, allowing an attacker to iteratively determine the plaintext through approximately 1000-2000 carefully crafted queries. This weakness directly maps to CWE-203 - "Observable Behavioral Vulnerability" and CWE-327 - "Use of a Broken or Risky Cryptographic Algorithm" in the Common Weakness Enumeration framework, as it enables attackers to bypass the security assurances typically provided by cryptographic padding schemes.

The operational impact of this vulnerability is significant for systems utilizing the affected hardware platforms, particularly those running on plat-d06 with `CFG_HISILICON_ACC_V3=y` configuration. While this specific configuration appears to be disabled by default, any system that enables it becomes vulnerable to sophisticated attacks that can recover RSA-OAEP plaintext without requiring access to the secure execution environment. The attack requires only adaptive chosen ciphertext queries and can potentially compromise sensitive data processed within the TEE, undermining the fundamental security model of the Trusted Execution Environment. The vulnerability affects the cryptographic integrity guarantees that users expect from properly implemented RSA-OAEP decryption protocols.

The mitigation strategy involves either upgrading to OP-TEE version 4.11.0 or later, which includes the necessary patch addressing the timing side-channel issues in the Hisilicon HPRE driver implementation. Alternatively, administrators can disable the vulnerable driver through the kernel configuration parameter `CFG_HISILICON_ACC_V3=n`, effectively preventing the use of the problematic cryptographic acceleration hardware. This workaround aligns with ATT&CK technique T1552.004 - "Credentials from Password Stores" mitigation by removing access to the vulnerable cryptographic functions, and follows the principle of least privilege by disabling unnecessary security features that introduce risk. The patch implementation should ensure constant-time comparison operations are used for all cryptographic hash verification processes, eliminating the distinguishable error paths that enable the padding oracle attack.

The vulnerability demonstrates how seemingly minor implementation details in cryptographic libraries can create significant security risks when dealing with timing-sensitive operations. It highlights the importance of constant-time algorithm implementations in security-critical contexts and the necessity of following established cryptographic best practices. The attack scenario represents a classic example of how side-channel vulnerabilities can be leveraged to break otherwise secure cryptographic protocols, emphasizing that even well-established schemes like RSA-OAEP require careful implementation to maintain their security properties against sophisticated adversaries who can exploit timing variations in execution paths.

Responsible

GitHub M

Reservation

04/20/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!