OP-TEE has a Use-After-Free race in FF-A shared-memory teardown

CVE-2026-40290

What is CVE-2026-40290?

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with CFG_SECURE_PARTITION=y. The function sp_mem_remove(), responsible for freeing entries in smem->receivers and smem->regions, fails to acquire the global sp_mem_lock before performing the free() operations. Concurrently, other code paths, such as sp_mem_get_receiver(), iterate over these same lists without holding a lock, or, like sp_mem_is_shared(), iterate while holding the lock but are not serialized against the unprotected free() in sp_mem_remove(). This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., struct sp_mem_map_region or struct sp_mem_receiver), and then another thread calls sp_mem_remove(), freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.

References