Out-of-Bounds Read Vulnerability in OP-TEE Trusted Execution Environment
CVE-2026-33317

8.7HIGH

Key Information:

Vendor

Op-tee

Status
Optee Os
Vendor
CVE Published:
24 April 2026

What is CVE-2026-33317?

A vulnerability exists in OP-TEE, specifically in the entry_get_attribute_value() function, which lacks proper validation checks. This issue affects versions from 3.13.0 to 4.10.0, leading to potential out-of-bounds reads from the PKCS#11 TA heap. An attacker might exploit this flaw by manipulating template parameters, enabling unauthorized reading or writing of data beyond allocated buffers. This can result in application crashes or unexpected behavior, compromising the security integrity of systems utilizing OP-TEE.

Affected Version(s)

optee_os >= 3.13.0, <= 4.10.0

References

https://github.com/OP-TEE/optee_os/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8b...
x_refsource_MISC
https://github.com/OP-TEE/optee_os/commit/16926d5a46934c4...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.