PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42546 OP-TEE CVE debrief

A resource leak vulnerability exists in OP-TEE, a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. The vulnerability is due to the function `cleanup_shm_refs()` in `core/tee/entry_std.c` failing to apply a required bitmask (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. This results in a persistent reference leak of `mobj_reg_shm` objects, which remain on internal lists with dangling refcounts. The vulnerability affects non-FF-A configurations that support non-contiguous, non-secure shared memory. Over time, these accumulated leaks progressively consume the secure-world heap, degrading the system's ability to service trusted application operations and eventually requiring a reboot to recover.

Vendor
OP-TEE
Product
optee_os
CVSS
LOW 3.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of OP-TEE versions 3.3.0 through 4.10.0 should be aware of this vulnerability and take steps to mitigate it. This includes applying the patch provided in version 4.11.0 or using compensating controls to monitor and limit the impact of the vulnerability.

Technical summary

The vulnerability is caused by the `cleanup_shm_refs()` function in `core/tee/entry_std.c` failing to apply the required `OPTEE_MSG_ATTR_TYPE_MASK` to parameter attributes. This results in a persistent reference leak of `mobj_reg_shm` objects. The vulnerability affects non-FF-A configurations that support non-contiguous, non-secure shared memory. The vulnerability can be mitigated by applying the patch provided in version 4.11.0.

Defensive priority

Medium

Recommended defensive actions

  • Apply the patch provided in OP-TEE version 4.11.0
  • Monitor system resources for signs of degradation
  • Limit the impact of the vulnerability using compensating controls
  • Inventory and track OP-TEE versions 3.3.0 through 4.10.0
  • Consider upgrading to OP-TEE version 4.11.0 or later

Evidence notes

The vulnerability is documented in the OP-TEE advisory GHSA-c7j8-fgqw-rcgp. The NVD entry for CVE-2026-42546 provides additional information on the vulnerability. The CVE record was published on 2026-07-06T20:16:33.257Z and was last modified on 2026-07-07T18:56:18.507Z.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:33.257Z and has not been modified since then.