PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33662 OP-TEE CVE debrief

CVE-2026-33662 is a high-severity vulnerability in OP-TEE, a Trusted Execution Environment (TEE) for Arm Cortex-A cores. The vulnerability, caused by an integer underflow in the `emsa_pkcs1_v1_5_encode()` function, can lead to a remote denial-of-service (DoS) attack. The vulnerability affects OP-TEE versions from 3.8.0 to 4.10.0 and has a CVSS score of 7.5.

Vendor
OP-TEE
Product
optee_os
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-06-05
Advisory published
2026-04-24
Advisory updated
2026-06-05

Who should care

Developers and users of OP-TEE, particularly those using versions between 3.8.0 and 4.10.0, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by an integer underflow in the `emsa_pkcs1_v1_5_encode()` function, which is used for EMA-PKCS1-v1_5 encoding. The function calculates the amount of padding needed, 'PS size', by subtracting the size of the digest and other fields required for the encoding from the size of the modulus of the key. By selecting a small enough modulus, this subtraction can overflow, leading to an underflowed integer. This underflowed integer is then used in a `memset()` call, which can cause the function to overwrite memory until OP-TEE crashes.

Defensive priority

High

Recommended defensive actions

  • Upgrade to a version of OP-TEE that is not vulnerable (e.g., version 4.11.0 or later).
  • Apply the patch provided by the vendor [ref-4].

Evidence notes

The vulnerability was discovered and reported by an unknown researcher. The CVE record was published on April 24, 2026, and last modified on June 5, 2026 [cve-org]. The NVD detail page provides additional information about the vulnerability [nvd].

Official resources

CVE-2026-33662 was published on 2026-04-24T19:17:09.997Z and last modified on 2026-06-05T20:21:14.723Z.