CVE-2026-44362: CWE-285: Improper Authorization in OP-TEE optee_os
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback protection allows the use of revoked or older subkey versions because the system fails to propagate versioning data during the Trusted Application (TA) loading process. In `core/crypto/signed_hdr.c`, the function `shdr_load_pub_key()` parses subkey headers but does not assign the `subkey_version` to the runtime `shdr_pub_key` structure. As a result, the `key->version` field remains at zero regardless of the version specified in the header. When `ree_fs_ta_open()` in `core/kernel/ree_fs_ta.c` calls `check_update_version()`, it passes this zeroed version to the rollback database. Because the database never receives a non-zero version to record, it never advances, effectively bypassing the rollback check and allowing TAs signed with downgraded subkey chains to load successfully. This impacts OP-TEE mainline configurations that utilize subkey-based signing chains for Trusted Application (TA) authentication. Version 4.11.0 contains a patch. No known workarounds are available.
AI Analysis
Technical Summary
OP-TEE's subkey rollback protection mechanism is bypassed because the function responsible for loading public key headers does not assign the subkey version to the runtime structure. Consequently, the rollback database never receives a valid version to update, allowing downgraded subkey chains to be accepted during Trusted Application authentication. This affects OP-TEE mainline configurations using subkey-based signing chains from version 3.20.0 up to but not including 4.11.0. The vulnerability is fixed in version 4.11.0.
Potential Impact
An attacker can load Trusted Applications signed with revoked or older subkey versions, effectively bypassing rollback protection. This leads to improper authorization, potentially allowing unauthorized or malicious Trusted Applications to run within the OP-TEE Trusted Execution Environment. The vulnerability does not impact confidentiality or availability but impacts integrity by allowing unauthorized code execution.
Mitigation Recommendations
Version 4.11.0 of OP-TEE optee_os contains an official patch that fixes this vulnerability. Users should upgrade to version 4.11.0 or later to remediate the issue. No known workarounds are available. Patch status is not explicitly confirmed in the advisory, but the presence of a fix in version 4.11.0 indicates an official remediation.
CVE-2026-44362: CWE-285: Improper Authorization in OP-TEE optee_os
Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback protection allows the use of revoked or older subkey versions because the system fails to propagate versioning data during the Trusted Application (TA) loading process. In `core/crypto/signed_hdr.c`, the function `shdr_load_pub_key()` parses subkey headers but does not assign the `subkey_version` to the runtime `shdr_pub_key` structure. As a result, the `key->version` field remains at zero regardless of the version specified in the header. When `ree_fs_ta_open()` in `core/kernel/ree_fs_ta.c` calls `check_update_version()`, it passes this zeroed version to the rollback database. Because the database never receives a non-zero version to record, it never advances, effectively bypassing the rollback check and allowing TAs signed with downgraded subkey chains to load successfully. This impacts OP-TEE mainline configurations that utilize subkey-based signing chains for Trusted Application (TA) authentication. Version 4.11.0 contains a patch. No known workarounds are available.
CVSS v3.1
Score 5.5medium
Affected software
pkg:github/op-tee/optee_osRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OP-TEE's subkey rollback protection mechanism is bypassed because the function responsible for loading public key headers does not assign the subkey version to the runtime structure. Consequently, the rollback database never receives a valid version to update, allowing downgraded subkey chains to be accepted during Trusted Application authentication. This affects OP-TEE mainline configurations using subkey-based signing chains from version 3.20.0 up to but not including 4.11.0. The vulnerability is fixed in version 4.11.0.
Potential Impact
An attacker can load Trusted Applications signed with revoked or older subkey versions, effectively bypassing rollback protection. This leads to improper authorization, potentially allowing unauthorized or malicious Trusted Applications to run within the OP-TEE Trusted Execution Environment. The vulnerability does not impact confidentiality or availability but impacts integrity by allowing unauthorized code execution.
Mitigation Recommendations
Version 4.11.0 of OP-TEE optee_os contains an official patch that fixes this vulnerability. Users should upgrade to version 4.11.0 or later to remediate the issue. No known workarounds are available. Patch status is not explicitly confirmed in the advisory, but the presence of a fix in version 4.11.0 indicates an official remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T20:15:20.630Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4c076827e9c7971920cba5
Added to database: 07/06/2026, 19:52:08 UTC
Last enriched: 07/06/2026, 20:07:16 UTC
Last updated: 07/06/2026, 22:52:02 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.