CVE-2026-40290: CWE-416: Use After Free in OP-TEE optee_os
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-40290 is a Use-After-Free vulnerability in OP-TEE optee_os affecting versions >=3.16.0 and <4.11.0. The flaw occurs in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows when configured with CFG_SECURE_PARTITION=y. The function sp_mem_remove() frees entries in shared memory lists without acquiring the global sp_mem_lock, while other functions iterate over these lists either without locks or with insufficient serialization. This race condition allows one thread to free an object while another thread holds a pointer to it, leading to a Use-After-Free scenario. The vulnerability is fixed in version 4.11.0.
Potential Impact
The vulnerability allows a local attacker with limited privileges (low attack complexity, low privileges required, no user interaction) to exploit a race condition resulting in Use-After-Free. This can lead to high impact on confidentiality, integrity, and availability of the trusted execution environment, potentially allowing arbitrary code execution or denial of service within the secure world.
Mitigation Recommendations
A fix is available in OP-TEE optee_os version 4.11.0. Users and administrators should upgrade to version 4.11.0 or later to remediate this vulnerability. Until then, no official workaround or temporary fix is documented; therefore, upgrading is the recommended mitigation.
CVE-2026-40290: CWE-416: Use After Free in OP-TEE optee_os
Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.
CVSS v3.1
Score 7.8high
Affected software
pkg:github/op-tee/optee_osRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40290 is a Use-After-Free vulnerability in OP-TEE optee_os affecting versions >=3.16.0 and <4.11.0. The flaw occurs in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows when configured with CFG_SECURE_PARTITION=y. The function sp_mem_remove() frees entries in shared memory lists without acquiring the global sp_mem_lock, while other functions iterate over these lists either without locks or with insufficient serialization. This race condition allows one thread to free an object while another thread holds a pointer to it, leading to a Use-After-Free scenario. The vulnerability is fixed in version 4.11.0.
Potential Impact
The vulnerability allows a local attacker with limited privileges (low attack complexity, low privileges required, no user interaction) to exploit a race condition resulting in Use-After-Free. This can lead to high impact on confidentiality, integrity, and availability of the trusted execution environment, potentially allowing arbitrary code execution or denial of service within the secure world.
Mitigation Recommendations
A fix is available in OP-TEE optee_os version 4.11.0. Users and administrators should upgrade to version 4.11.0 or later to remediate this vulnerability. Until then, no official workaround or temporary fix is documented; therefore, upgrading is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a206580e29bf47b50d410ab
Added to database: 6/3/2026, 5:33:52 PM
Last enriched: 6/10/2026, 7:35:41 PM
Last updated: 6/18/2026, 4:50:27 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.