CVE-2025-31719

The TEE (Trusted Execution Environment) EcDSA algorithm suffers from an improper initialization vulnerability (CWE-665). This memory consistency issue arises during signature generation, causing the algorithm to occasionally produce incorrect signature results. The flaw is inherent to the EcDSA implementation and is classified as a local access vulnerability.

Exploitation requires local access to the device, but does not require any additional privileges or user interaction. An attacker could potentially trigger the condition to generate faulty signatures, though the probability of success is low. The attack surface is limited to devices using the affected chipsets and Android software versions.

If successfully exploited, an attacker could cause denial of service or integrity issues by generating invalid signatures. This could undermine cryptographic operations that rely on correct EcDSA signatures, such as authentication or data integrity checks. The overall CVSS score is 5.1, reflecting medium severity due to low impact on confidentiality but some impact on integrity and availability.

Unisoc has published an advisory [1] detailing affected chipsets and software versions. The vulnerability affects Android versions 13 through 16 on a wide range of chipsets including SC9863A, T610, T760, T820, and others. The recommended mitigation is to apply security updates provided by device OEMs or contact Unisoc for the latest information. No public evidence of active exploitation exists at this time.