Security Flaw in Hisilicon HPRE Crypto Driver for OP-TEE
CVE-2026-41514

2.5LOW

Key Information:

Vendor

Op-tee

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-41514?

The Hisilicon HPRE crypto driver in OP-TEE versions 4.5.0 through 4.11.0 is susceptible to a significant vulnerability due to an insecure RSA-OAEP decryption implementation. This flaw arises from reliance on non-constant-time memcmp() for label hash verification, which manifests multiple distinguishable error paths. Consequently, this leads to a padding oracle scenario that an attacker can exploit, enabling them to recover plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. The vulnerability affects the platform configuration plat-d06 when using the Hisilicon HPRE driver, which is generally disabled by default. Users are advised to upgrade to version 4.11.0 to obtain the patch or disable the RSA driver as a workaround.

Affected Version(s)

optee_os >= 4.5.0, < 4.11.0

References

CVSS V3.1

Score:
2.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.