CVE-2026-40290: CWE-416: Use After Free in OP-TEE optee_os
A Use-After-Free (UAF) vulnerability exists in OP-TEE's optee_os versions from 3. 16. 0 up to but not including 4. 11. 0. The flaw arises from a race condition in the shared memory teardown logic when OP-TEE is configured as an SPMC for secure partitions (CFG_SECURE_PARTITION=y). Specifically, the sp_mem_remove() function frees memory without proper locking, allowing concurrent threads to dereference freed pointers. This vulnerability is addressed in version 4. 11. 0.
AI Analysis
Technical Summary
CVE-2026-40290 is a high-severity Use-After-Free vulnerability in OP-TEE's optee_os affecting versions >=3.16.0 and <4.11.0. The issue occurs in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows when configured with CFG_SECURE_PARTITION=y. The sp_mem_remove() function frees entries in smem->receivers and smem->regions without acquiring the global sp_mem_lock, leading to a race condition with other code paths that iterate these lists. This can cause a thread to dereference a pointer to a freed object, resulting in a Use-After-Free condition. Version 4.11.0 includes a fix for this vulnerability.
Potential Impact
Successful exploitation of this vulnerability can lead to arbitrary code execution or denial of service within the secure environment due to the high impact on confidentiality, integrity, and availability (CVSS 7.8). The vulnerability affects the trusted execution environment on ARM Cortex-A cores using TrustZone technology when configured as an SPMC for secure partitions. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Version 4.11.0 of optee_os fixes this vulnerability. Users should upgrade to version 4.11.0 or later to remediate this issue. Patch status is not explicitly confirmed in the provided data, but the description states the issue is fixed in 4.11.0. Until upgrading, avoid configurations that enable CFG_SECURE_PARTITION=y if feasible. Monitor the vendor advisory for official patch releases and further guidance.
CVE-2026-40290: CWE-416: Use After Free in OP-TEE optee_os
Description
A Use-After-Free (UAF) vulnerability exists in OP-TEE's optee_os versions from 3. 16. 0 up to but not including 4. 11. 0. The flaw arises from a race condition in the shared memory teardown logic when OP-TEE is configured as an SPMC for secure partitions (CFG_SECURE_PARTITION=y). Specifically, the sp_mem_remove() function frees memory without proper locking, allowing concurrent threads to dereference freed pointers. This vulnerability is addressed in version 4. 11. 0.
CVSS v3.1
Score 7.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40290 is a high-severity Use-After-Free vulnerability in OP-TEE's optee_os affecting versions >=3.16.0 and <4.11.0. The issue occurs in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows when configured with CFG_SECURE_PARTITION=y. The sp_mem_remove() function frees entries in smem->receivers and smem->regions without acquiring the global sp_mem_lock, leading to a race condition with other code paths that iterate these lists. This can cause a thread to dereference a pointer to a freed object, resulting in a Use-After-Free condition. Version 4.11.0 includes a fix for this vulnerability.
Potential Impact
Successful exploitation of this vulnerability can lead to arbitrary code execution or denial of service within the secure environment due to the high impact on confidentiality, integrity, and availability (CVSS 7.8). The vulnerability affects the trusted execution environment on ARM Cortex-A cores using TrustZone technology when configured as an SPMC for secure partitions. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Version 4.11.0 of optee_os fixes this vulnerability. Users should upgrade to version 4.11.0 or later to remediate this issue. Patch status is not explicitly confirmed in the provided data, but the description states the issue is fixed in 4.11.0. Until upgrading, avoid configurations that enable CFG_SECURE_PARTITION=y if feasible. Monitor the vendor advisory for official patch releases and further guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a206580e29bf47b50d410ab
Added to database: 6/3/2026, 5:33:52 PM
Last enriched: 6/3/2026, 5:48:26 PM
Last updated: 6/3/2026, 6:46:38 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.