CVE-2026-42546
CVE-2026-42546 is a low-severity vulnerability in Trustedfirmware Op-tee with a CVSS 3.x base score of 3.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.
Key facts
- Severity: Low (CVSS 3.x base score 3.8)
- EPSS exploit prediction: 0% (1st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-770
- Affected product: Trustedfirmware Op-tee
- Published:
- Last modified:
Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.3.0 and prior to version 4.11.0, a resource leak exists in OP-TEE’s shared memory cleanup logic because the function `cleanup_shm_refs()` in `core/tee/entry_std.c` fails to apply a required bitmask (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. When processing non-contiguous memory parameters from a normal-world caller, the system fails to match the attribute type in its internal switch statement and skips the necessary mobj_put() call. This results in a persistent reference leak of `mobj_reg_shm` objects, which remain on internal lists with dangling refcounts. This affects non-FF-A configurations that support non-contiguous, non-secure shared memory. Over time, these accumulated leaks progressively consume the secure-world heap, degrading the system's ability to service trusted application operations and eventually requiring a reboot to recover. Version 4.11.0 contains a patch. No known workarounds are available.
Frequently asked questions
- What is CVE-2026-42546?
- OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.3.0 and prior to version 4.11.0, a resource leak exists in OP-TEE’s shared memory cleanup logic because the function `cleanup_shm_refs()` in `core/tee/entry_std.c` fails to apply a required bitmask (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. When processing non-contiguous memory parameters from a normal-world caller, the system fails to match the attribute type in its internal switch statement and skips the necessary mobj_put() call. This results in a persistent reference leak of `mobj_reg_shm` objects, which remain on internal lists with dangling refcounts. This affects non-FF-A configurations that support non-contiguous, non-secure shared memory. Over time, these accumulated leaks progressively consume the secure-world heap, degrading the system's ability to service trusted application operations and eventually requiring a reboot to recover. Version 4.11.0 contains a patch. No known workarounds are available.
- How severe is CVE-2026-42546?
- CVE-2026-42546 has a CVSS 3.x base score of 3.8, rated low severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2026-42546 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-42546?
- CVE-2026-42546 affects Trustedfirmware Op-tee. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-42546?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-42546 published?
- CVE-2026-42546 was published on 2026-07-06 and last updated on 2026-07-07.
References
Affected products (1)
- cpe:2.3:o:trustedfirmware:op-tee:*:*:*:*:*:*:*:*
More vulnerabilities in Trustedfirmware Op-tee
- CVE-2019-1010292 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks. The impact is: This could lead to…
- CVE-2019-1010298 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of…
- CVE-2019-1010297 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Execution of code in TEE core…
- CVE-2019-1010296 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in context of TEE…
- CVE-2019-1010295 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Memory corruption and disclosure…
- CVE-2019-1010293 — Critical (CVSS 9.8): Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. The impact is: Memory corruption of the TEE…
All CVEs affecting Trustedfirmware Op-tee →
Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities
- CVE-2026-31283 — Critical (CVSS 9.8): In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email…
- CVE-2020-37067 — Critical (CVSS 9.8): Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers…
- CVE-2021-47875 — Critical (CVSS 9.8): GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the…
- CVE-2025-11832 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access…
- CVE-2024-44241 — Critical (CVSS 9.8): The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia…
- CVE-2022-3439 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →