{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33317", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T21:23:36.677Z", "datePublished": "2026-04-24T02:20:55.670Z", "dateUpdated": "2026-04-24T18:18:04.912Z"}, "containers": {"cna": {"title": "OP-TEE: PKCS#11 TA out-of-bounds read and memory disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9"}, {"name": "https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca"}, {"name": "https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900", "tags": ["x_refsource_MISC"], "url": "https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900"}, {"name": "https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9", "tags": ["x_refsource_MISC"], "url": "https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9"}], "affected": [{"vendor": "OP-TEE", "product": "optee_os", "versions": [{"version": ">= 3.13.0, <= 4.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:20:55.670Z"}, "descriptions": [{"lang": "en", "value": "OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0."}], "source": {"advisory": "GHSA-8cqw-mg7v-c9p9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:19:41.848151Z", "id": "CVE-2026-33317", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:18:04.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33317", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T17:19:41.848151Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:20:10.513Z"}}], "cna": {"title": "OP-TEE: PKCS#11 TA out-of-bounds read and memory disclosure", "source": {"advisory": "GHSA-8cqw-mg7v-c9p9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OP-TEE", "product": "optee_os", "versions": [{"status": "affected", "version": ">= 3.13.0, <= 4.10.0"}]}], "references": [{"url": "https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9", "name": "https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca", "name": "https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900", "name": "https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9", "name": "https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:20:55.670Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33317", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:18:04.912Z", "dateReserved": "2026-03-18T21:23:36.677Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T02:20:55.670Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:*", "matchCriteriaId": "FECA641D-57EA-4C17-9B63-2861A117DE5C", "versionEndIncluding": "4.10.0", "versionStartIncluding": "3.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0."}], "id": "CVE-2026-33317", "lastModified": "2026-04-27T14:50:13.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T03:16:11.020", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory", "Exploit"], "url": "https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.13.0,4.10.0]"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "optee_os", "source": "cna", "vendor": "OP-TEE"}, "product": "op-tee_os", "vendor": "op-tee"}], "analysis": {"en": {"generated_at": "2026-04-28T07:02:33.779982+00:00", "value": {"mitigation_remediation": ["Upgrade OP-TEE OS to version 4.11.0 or later and rebuild the PKCS#11 Trusted Application to apply the official fixes", "Reinstall the updated OP-TEE image on all devices to ensure the vulnerable TA is replaced", "Restrict access to the PKCS#11 interface on the Trusted Execution Environment, allowing only trusted applications or users to invoke PKCS#11 commands"], "summary": {"action": "Apply Patch", "impact": "Memory Disclosure"}, "threat_synthesis": {"affected_systems": "Affected versions are OP\u2011TEE OS 3.13.0 through 4.10.0. The vulnerability was fixed by commits e031c4e5, 16926d5a, and 149e8d7e, which are expected to appear in release 4.11.0. All built OP\u2011TEE images that include the PKCS#11 TA in this version range are impacted, regardless of vendor or deployment.", "description_and_impact": "The bug is an out\u2011of\u2011bounds read and write in the PKCS#11 Trusted Application of OP\u2011TEE, originating from missing bounds checks in the function `entry_get_attribute_value()` in `ta/pkcs11/src/object.c`. The flaw permits a malicious client to supply a malformed attribute template that causes the TA to read up to seven bytes beyond the end of the template buffer and then to copy those extra bytes back into the template buffer. This can expose sensitive data stored within the Trusted Execution Environment or corrupt the TA\u2019s memory, potentially leading to a crash.", "risk_and_exploitability": "The CVSS score is 8.7, and the EPSS score is below 1\u202f% with no listing in the CISA KEV catalog. An attacker must be able to invoke the PKCS#11 interface on the TEE; a crafted command using `PKCS11_CMD_GET_ATTRIBUTE_VALUE` is sufficient to exploit the overflow. Because the read/write is limited to a handful of bytes, exploitation may be subtle, but the data revealed can be highly confidential. The risk is therefore high for confidentiality and availability, and the low EPSS implies that exploitation is currently unlikely but still possible, especially in environments that expose the PKCS#11 API widely."}}}}, "created": "2026-04-28T07:15:19.369941+00:00", "updated": "2026-04-28T08:45:26.974886+00:00", "vendors": ["op-tee", "op-tee$PRODUCT$op-tee_os"]}