CVE-2022-40759

Vulnerability

The TEE_MACCompareFinal function in Samsung mTower through version 0.3.0 contains a NULL pointer dereference vulnerability in file tee/lib/libutee/tee_api_objects.c [1][2]. The function does not validate that its operation parameter is a valid pointer before dereferencing it in the check if (operation->info.operationClass != TEE_OPERATION_MAC) [1][2]. Any trusted application calling TEE_MACCompareFinal with a NULL pointer for the operation argument triggers this flaw.

Exploitation

An attacker needs the ability to execute a trusted application (TA) within the mTower trusted execution environment. The TA simply invokes the function TEE_MACCompareFinal with the operation parameter set to NULL [1][2]. No additional authentication, race window, or special privileges beyond running a TA are required.

Impact

Successful exploitation causes a NULL pointer dereference, leading to a crash of the trusted execution environment kernel [2]. The outcome is a Denial of Service (DoS) for the TEE, which may affect all trusted applications and services relying on the TEE; no immediate code execution or information disclosure is described in the references.

Mitigation

As of the publication date, the vendor has not released a patch fixing CVE-2022-40759; users should update when a fix becomes available. The issue is tracked in the mTower repository [2]. No workaround is documented, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.