Public Key Verification Flaw in OP-TEE Environment
CVE-2026-45614
4.7MEDIUM
What is CVE-2026-45614?
OP-TEE, a Trusted Execution Environment (TEE) designed to complement non-secure Linux kernels on Arm Cortex-A cores, has a vulnerability that allows attackers to exploit unverified public keys. In versions prior to 4.11.0, the ECDH shared secret paths fail to validate that the public key adheres to the required elliptic curve, posing a risk of private key reconstruction. By supplying malicious public keys, an attacker can extract enough data from the TEE_DeriveKey function to potentially recover the private key through mathematical manipulation, particularly using the Chinese remainder theorem. This vulnerability highlights the importance of rigorous public key validation in cryptographic implementations.
Affected Version(s)
optee_os < 4.11.0
