VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 19, 2023· Updated Aug 3, 2024

Flawed SK_LOAD module authenticity check in Texas Instruments OMAP L138

CVE-2022-25333

Description

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The mask ROM RSA check in SK_LOAD validates only the module header's authenticity, not the payload, allowing a forged payload to be appended to any correctly signed header."

Attack vector

An adversary re-uses any correctly signed module header and appends a forged payload. The payload is encrypted using the CEK, which can be obtained through CVE-2022-25332. Because the mask ROM RSA check only validates the header, the forged payload is loaded without detection, allowing arbitrary code execution in the secure context [ref_id=1].

Affected code

The vulnerability is in the Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) mask ROM. The SK_LOAD routine performs an RSA check on module headers, but only validates the header's authenticity, not the payload that follows it.

What the fix does

The advisory does not specify a patch for this vulnerability. No fix is published in the supplied bundle. The description indicates the root cause is a design limitation in the mask ROM's RSA validation logic, which would require a hardware revision to fully address.

Preconditions

  • inputAttacker must first obtain the CEK via CVE-2022-25332
  • inputAttacker must have a correctly signed module header to reuse
  • networkAttacker must be able to deliver the crafted module to the SK_LOAD routine

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.