CVE-2025-46733 is a high-severity vulnerability affecting OP-TEE (Open Portable Trusted Execution Environment) version 4.5.0, specifically related to improper handling of exceptional conditions in the Secure Storage API implemented in libutee. OP-TEE is a Trusted Execution Environment designed to run alongside a non-secure Linux kernel on Arm Cortex-A cores using TrustZone technology. The vulnerability arises because the OP-TEE implementation passes return codes from secure storage operations unsanitized from the Rich Execution Environment (REE) tee-supplicant process through the Linux kernel tee-driver and OP-TEE kernel back to libutee. According to the TEE Internal Core API specification, libutee functions panic if they receive unexpected return codes. An attacker with access to REE userspace who can stop the legitimate tee-supplicant and replace it with a malicious version can respond with crafted unexpected return codes, triggering a panic in the Trusted Application (TA) using the Secure Storage API. This is particularly dangerous for TAs built with TA_FLAG_SINGLE_INSTANCE and TA_FLAG_INSTANCE_KEEP_ALIVE, which preserve memory state between sessions. The optee_ftpm TA (firmware TPM) is a critical example: it holds Platform Configuration Register (PCR) values in kept-alive memory, which must be non-resettable to ensure integrity of boot measurements and sealed data. An attacker can cause the fTPM TA to panic and reload, resetting PCRs and allowing falsification of boot measurements, unauthorized access to sealed data, and potentially other attacks. The impact varies by TA; some may only experience denial of service, while others like fTPM can suffer confidentiality breaches. The vulnerability requires local access to REE userspace and at least low privileges to replace tee-supplicant, which may be trivial for root users or possible for less privileged users depending on system permissions. A fix has been committed to sanitize return codes and prevent this panic-triggering behavior. The CVSS v3.1 score is 7.9 (high), reflecting local attack vector, low complexity, low privileges required, no user interaction, and a scope change with high confidentiality impact, limited integrity impact, and limited availability impact.

For European organizations, the impact of CVE-2025-46733 can be significant, especially those relying on OP-TEE for secure operations on Arm-based devices. This includes sectors such as telecommunications, automotive, industrial control systems, and IoT deployments where OP-TEE is used to protect sensitive operations and data. The ability to reset PCRs in the fTPM TA undermines the root of trust for secure boot and measured boot processes, potentially allowing attackers to bypass security controls, access sealed cryptographic keys or credentials, and falsify system integrity measurements. This can lead to unauthorized data disclosure, compromise of cryptographic operations, and erosion of trust in device security. Denial of service conditions caused by TA panics can disrupt critical services relying on trusted applications. Since the attack requires local access and the ability to replace tee-supplicant, the threat is more acute in environments where endpoint security is weak or where attackers have gained initial footholds. The vulnerability could also affect cloud providers or data centers using Arm servers with OP-TEE, impacting confidentiality and availability of hosted workloads. Overall, the vulnerability poses a risk to confidentiality, integrity, and availability of secure operations in affected environments.

European organizations should take the following specific mitigation steps: 1) Immediately upgrade OP-TEE to a patched version that includes the fix (commit 941a58d78c99c4754fbd4ec3079ec9e1d596af8f) to sanitize return codes and prevent panic triggers. 2) Restrict permissions on the tee-supplicant binary and related processes to prevent unauthorized stopping or replacement, ensuring only trusted users can interact with these components. 3) Implement strict endpoint security controls to limit local user privileges and prevent attackers from gaining the ability to replace tee-supplicant. 4) Monitor for abnormal tee-supplicant behavior or TA panics as indicators of exploitation attempts. 5) For critical systems using fTPM or other TAs with persistent memory, consider additional runtime integrity checks and attestation mechanisms to detect PCR resets or unexpected TA reloads. 6) Conduct security audits of TAs leveraging the Secure Storage API to assess susceptibility to similar panic-triggering attacks. 7) Employ hardware-based protections and secure boot chains to reduce risk of local privilege escalation that could enable this attack. 8) Coordinate with device and platform vendors to ensure timely deployment of patches and security updates.