CVE-2026-40290

Vulnerability

A user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE's SPMC/SP flows, specifically when OP-TEE is configured as an SPMC for S-EL0 SPs with CFG_SECURE_PARTITION=y. The function sp_mem_remove() frees shared memory entries without acquiring the global sp_mem_lock. Other functions like sp_mem_get_receiver() and sp_mem_is_shared() access these same lists without proper serialization against the unprotected free operations, leading to a UAF vulnerability when a thread dereferences a freed object. This affects versions 3.16.0 up to, but not including, 4.11.0 [1].

Exploitation

An attacker can trigger this vulnerability by invoking FF-A functions like FFA_MEM_RELINQUISH or FFA_MEM_RECLAIM from the non-secure world. This can cause a race condition where a thread iterating over shared memory lists acquires a pointer to an entry, and then sp_mem_remove() frees that entry. When the first thread resumes and dereferences the pointer, it leads to the UAF condition [1].

Impact

A successful exploitation allows a non-secure flow to cause the secure world to dereference freed memory. This can result in memory corruption within the secure world and potential information leakage if freed objects are subsequently read by the secure world [1].

Mitigation

Version 4.11.0 of OP-TEE includes a fix for this vulnerability. Users are advised to update to version 4.11.0 or later. No workarounds are specified in the available references [1].