CVE-2026-45702

Vulnerability

A type confusion vulnerability exists in OP-TEE OS versions 4.3.0 through 4.10.0 when processing an FFA_MEM_SHARE request from the normal world. This issue is specific to configurations where OP-TEE acts as an SPMC for S-EL0 SPs, indicated by CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y. The vulnerability arises when a dynamically allocated buffer is mistakenly passed as a struct ffa_rxtx pointer to spmc_sp_add_share(), allowing the normal world to control the address OP-TEE OS reads [1].

Exploitation

An attacker in the EL1 Normal World can exploit this vulnerability by sending a crafted FFA_MEM_SHARE request. This request involves a dynamically allocated buffer that is incorrectly interpreted by OP-TEE OS. The attacker needs to be in a position to send requests to the OP-TEE TEE, which is possible when the system is configured as described in the vulnerability section [1].

Impact

Successful exploitation of this vulnerability allows an EL1 Normal World attacker to crash the OP-TEE secure world (S-EL1 kernel). This can disrupt the normal world hypervisor and any other guest operating systems running on the affected platform. Platforms like Arm Corstone-1000 are confirmed to be affected if the relevant configuration options are enabled [1].

Mitigation

Version 4.11.0 of OP-TEE OS addresses this vulnerability. A patch titled "core: ffa: deny dynamic memory sharing to S-EL0 SPs" was released to fix the issue. Users are advised to upgrade to version 4.11.0 or later. No workarounds are specified in the available references [1].