Public Key Verification Flaw in OP-TEE Environment
CVE-2026-45614

4.7MEDIUM

Key Information:

Vendor

Op-tee

Status
Vendor
CVE Published:
3 June 2026

What is CVE-2026-45614?

OP-TEE, a Trusted Execution Environment (TEE) designed to complement non-secure Linux kernels on Arm Cortex-A cores, has a vulnerability that allows attackers to exploit unverified public keys. In versions prior to 4.11.0, the ECDH shared secret paths fail to validate that the public key adheres to the required elliptic curve, posing a risk of private key reconstruction. By supplying malicious public keys, an attacker can extract enough data from the TEE_DeriveKey function to potentially recover the private key through mathematical manipulation, particularly using the Chinese remainder theorem. This vulnerability highlights the importance of rigorous public key validation in cryptographic implementations.

Affected Version(s)

optee_os < 4.11.0

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.