CVE-2026-33317
Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in entry_get_attribute_value() in ta/pkcs11/src/object.c can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function PKCS11_CMD_GET_ATTRIBUTE_VALUE or entry_get_attribute_value() can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.
Affected products
1Patches
3149e8d7ecc4eta: pkcs11: fix attribute output size if too small on get attribute value
1 file changed · +4 −1
ta/pkcs11/src/object.c+4 −1 modified@@ -900,8 +900,11 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, attr_type_invalid = 1; break; case PKCS11_CKR_BUFFER_TOO_SMALL: - if (data_ptr) + if (data_ptr) { + cli_head.size = + PKCS11_CK_UNAVAILABLE_INFORMATION; buffer_too_small = 1; + } break; default: rc = PKCS11_CKR_GENERAL_ERROR;
16926d5a4693ta: pkcs11: check template consistency on get attribute value
1 file changed · +12 −1
ta/pkcs11/src/object.c+12 −1 modified@@ -840,12 +840,23 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, for (; cur < end; cur += len) { struct pkcs11_attribute_head *cli_ref = (void *)cur; struct pkcs11_attribute_head cli_head = { }; + uintptr_t cli_end = 0; void *data_ptr = NULL; + if ((char *)(cli_ref + 1) > end) { + rc = PKCS11_CKR_ARGUMENTS_BAD; + goto out; + } + /* Make copy of header so that is aligned properly. */ TEE_MemMove(&cli_head, cli_ref, sizeof(cli_head)); - len = sizeof(*cli_ref) + cli_head.size; + if (ADD_OVERFLOW(sizeof(*cli_ref), cli_head.size, &len) || + ADD_OVERFLOW((uintptr_t)cur, len, &cli_end) || + (char *)cli_end > end) { + rc = PKCS11_CKR_ARGUMENTS_BAD; + goto out; + } /* Treat hidden attributes as missing attributes */ if (attribute_is_hidden(&cli_head)) {
e031c4e56202ta: pkcs11: check output buffer size on get attribute value
1 file changed · +10 −0
ta/pkcs11/src/object.c+10 −0 modified@@ -800,6 +800,15 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, goto out; } + /* + * We will update the template with relevant data, without resizing it. + * Upon completion, it will be copied to client output buffer. + */ + if (out->memref.size < sizeof(*template) + template->attrs_size) { + rc = PKCS11_CKR_ARGUMENTS_BAD; + goto out; + } + /* Iterate over attributes and set their values */ /* * 1. If the specified attribute (i.e., the attribute specified by the @@ -912,6 +921,7 @@ enum pkcs11_rc entry_get_attribute_value(struct pkcs11_client *client, rc = PKCS11_CKR_BUFFER_TOO_SMALL; /* Move updated template to out buffer */ + out->memref.size = sizeof(*template) + template->attrs_size; TEE_MemMove(out->memref.buffer, template, out->memref.size); DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1canvdPatch
- github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900nvdPatch
- github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9nvdPatch
- github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9nvdPatchVendor AdvisoryExploit
News mentions
0No linked articles in our index yet.