Resource Leak Vulnerability in OP-TEE's Trusted Execution Environment for Arm Cortex-A Platforms
CVE-2026-42546

3.8LOW

Key Information:

Vendor

Op-tee

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-42546?

A resource leak vulnerability has been identified in OP-TEE, a Trusted Execution Environment designed to work alongside a non-secure Linux kernel on Arm Cortex-A architectures. Starting from version 3.3.0 and up to 4.10.0, the cleanup logic for shared memory, specifically in the function cleanup_shm_refs(), does not correctly apply a required bitmask to parameter attributes. This flaw results in a failure to properly manage memory references, leading to an accumulation of mobj_reg_shm object references within the internal management system. Over time, these leaks can significantly degrade system performance by exhausting the secure-world heap resources, potentially hampering trusted application operations and necessitating a system reboot for recovery. Users are advised to update to version 4.11.0, where this issue is addressed.

Affected Version(s)

optee_os >= 3.3.0, < 4.11.0

References

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.