CVE-2026-42546 in OP-TEEinfo

Summary

by MITRE • 07/06/2026

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.3.0 and prior to version 4.11.0, a resource leak exists in OP-TEE’s shared memory cleanup logic because the function `cleanup_shm_refs()` in `core/tee/entry_std.c` fails to apply a required bitmask (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. When processing non-contiguous memory parameters from a normal-world caller, the system fails to match the attribute type in its internal switch statement and skips the necessary mobj_put() call. This results in a persistent reference leak of `mobj_reg_shm` objects, which remain on internal lists with dangling refcounts. This affects non-FF-A configurations that support non-contiguous, non-secure shared memory. Over time, these accumulated leaks progressively consume the secure-world heap, degrading the system's ability to service trusted application operations and eventually requiring a reboot to recover. Version 4.11.0 contains a patch. No known workarounds are available.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability described affects OP-TEE implementations operating in non-FF-A configurations with support for non-contiguous, non-secure shared memory processing. This represents a critical resource management flaw within the Trusted Execution Environment's memory handling subsystem that impacts system stability and security posture. The issue manifests through improper cleanup of shared memory references during normal-world function calls, creating persistent memory leaks within the secure kernel's internal data structures.

The technical root cause resides in the `cleanup_shm_refs()` function located within `core/tee/entry_std.c` file where the implementation fails to properly apply the required bitmask `OPTEE_MSG_ATTR_TYPE_MASK` when processing parameter attributes. This omission prevents the system from correctly identifying and handling different attribute types during memory cleanup operations, particularly affecting non-contiguous memory parameters originating from normal-world callers. The absence of proper type matching in the internal switch statement causes the system to skip essential `mobj_put()` calls that would normally release reference counts on `mobj_reg_shm` objects.

This flaw creates a systematic resource leak pattern where `mobj_reg_shm` objects accumulate in internal lists with invalid reference counts, effectively consuming secure-world heap resources over time. The vulnerability specifically targets non-FF-A configurations and impacts systems using Arm Cortex-A cores with TrustZone technology, making it particularly relevant for embedded security solutions and mobile platforms that rely on OP-TEE for trusted execution environments. The leak accumulation progressively degrades system performance and operational capacity.

The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially compromise the entire TEE functionality. As secure-world heap resources become depleted through accumulated reference leaks, the system's ability to service trusted application operations diminishes significantly. Eventually, the degradation reaches a critical threshold requiring system reboot for recovery, creating potential denial-of-service conditions that could be exploited in malicious scenarios. This vulnerability aligns with CWE-401: Improper Release of Memory and represents a classic case of resource leak in security-critical systems.

The attack surface for this vulnerability is primarily limited to systems running OP-TEE versions between 3.3.0 and 4.11.0 that utilize non-contiguous shared memory functionality. The exploitation requires legitimate access to the normal-world caller interface, making it more of an operational risk than a direct security breach. However, the cumulative nature of the leak means that systems operating continuously without reboot could eventually become unstable or unusable. Mitigation efforts are limited to upgrading to version 4.11.0 or later where the patch addresses the bitmask application issue in the cleanup logic and ensures proper attribute handling throughout the shared memory management process.

The vulnerability demonstrates a fundamental flaw in memory management within security-critical contexts, where improper reference counting can lead to complete system instability. This type of resource leak vulnerability commonly appears in complex kernel modules and TEE implementations where multiple memory management pathways exist and proper synchronization between different subsystems becomes challenging. The issue may also relate to ATT&CK technique T1490: Inhibit System Recovery, as the progressive memory consumption ultimately requires system reboot for recovery. Organizations relying on OP-TEE should prioritize immediate upgrade to patched versions and implement monitoring for heap utilization patterns to detect potential leakage conditions before they reach critical levels.

Responsible

GitHub M

Reservation

04/28/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!