Panic Vulnerability in OP-TEE Security Platform Affecting Arm Cortex-A Architecture
CVE-2025-46733

7.9HIGH

Key Information:

Vendor: Op-tee
Status: Optee Os
Vendor: CVE Published:; 4 July 2025

What is CVE-2025-46733?

The OP-TEE platform, a Trusted Execution Environment (TEE), has a vulnerability that allows an attacker to exploit the Secure Storage API through a malicious tee-supplicant binary in the REE userspace. By manipulating unexpected return codes from secure storage operations, an attacker can trigger a panic in a Trusted Application (TA). This vulnerability poses significant risks, especially in TAs like the fTPM, which rely on preserved memory states. Such a situation can lead to denial of service or potentially serious data exposure, as attackers could reset and manipulate important platform configuration registers (PCRs), compromising sensitive data integrity and security measures.

Affected Version(s)

optee_os = 4.5.0

References

https://github.com/OP-TEE/optee_os/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/OP-TEE/optee_os/commit/941a58d78c99c47...

x_refsource_MISC

CVSS V3.1

Score:

7.9

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2025
Vulnerability Reserved
Apr 28, 2025

CVE-2025-46733 Data

JSON

Op-tee

What is CVE-2025-46733?

Affected Version(s)

References

CVSS V3.1

Timeline