Subkey Rollback Vulnerability in OP-TEE by Linaro
CVE-2026-44362
What is CVE-2026-44362?
The OP-TEE platform, designed as a Trusted Execution Environment for Arm processors, has a vulnerability related to subkey rollback protection. This arises from a flaw in the versioning process during Trusted Application (TA) loading. Specifically, the function responsible for key header parsing does not correctly assign the intended subkey version. Consequently, this allows the use of older, potentially revoked subkey versions for TA authentication, thereby circumventing vital security checks. This issue impacts users relying on subkey-based signing configurations. A patch for this vulnerability is available in version 4.11.0. Users are strongly advised to upgrade their systems to this version to ensure protection against this flaw.
Affected Version(s)
optee_os >= 3.20.0, < 4.11.0
