Subkey Rollback Vulnerability in OP-TEE by Linaro
CVE-2026-44362

5.5MEDIUM

Key Information:

Vendor

Op-tee

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-44362?

The OP-TEE platform, designed as a Trusted Execution Environment for Arm processors, has a vulnerability related to subkey rollback protection. This arises from a flaw in the versioning process during Trusted Application (TA) loading. Specifically, the function responsible for key header parsing does not correctly assign the intended subkey version. Consequently, this allows the use of older, potentially revoked subkey versions for TA authentication, thereby circumventing vital security checks. This issue impacts users relying on subkey-based signing configurations. A patch for this vulnerability is available in version 4.11.0. Users are strongly advised to upgrade their systems to this version to ensure protection against this flaw.

Affected Version(s)

optee_os >= 3.20.0, < 4.11.0

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.