PatchSiren cyber security CVE debrief
CVE-2026-42546 OP-TEE CVE debrief
A resource leak vulnerability exists in OP-TEE, a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. The vulnerability is due to the function `cleanup_shm_refs()` in `core/tee/entry_std.c` failing to apply a required bitmask (`OPTEE_MSG_ATTR_TYPE_MASK`) to parameter attributes. This results in a persistent reference leak of `mobj_reg_shm` objects, which remain on internal lists with dangling refcounts. The vulnerability affects non-FF-A configurations that support non-contiguous, non-secure shared memory. Over time, these accumulated leaks progressively consume the secure-world heap, degrading the system's ability to service trusted application operations and eventually requiring a reboot to recover.
- Vendor
- OP-TEE
- Product
- optee_os
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of OP-TEE versions 3.3.0 through 4.10.0 should be aware of this vulnerability and take steps to mitigate it. This includes applying the patch provided in version 4.11.0 or using compensating controls to monitor and limit the impact of the vulnerability.
Technical summary
The vulnerability is caused by the `cleanup_shm_refs()` function in `core/tee/entry_std.c` failing to apply the required `OPTEE_MSG_ATTR_TYPE_MASK` to parameter attributes. This results in a persistent reference leak of `mobj_reg_shm` objects. The vulnerability affects non-FF-A configurations that support non-contiguous, non-secure shared memory. The vulnerability can be mitigated by applying the patch provided in version 4.11.0.
Defensive priority
Medium
Recommended defensive actions
- Apply the patch provided in OP-TEE version 4.11.0
- Monitor system resources for signs of degradation
- Limit the impact of the vulnerability using compensating controls
- Inventory and track OP-TEE versions 3.3.0 through 4.10.0
- Consider upgrading to OP-TEE version 4.11.0 or later
Evidence notes
The vulnerability is documented in the OP-TEE advisory GHSA-c7j8-fgqw-rcgp. The NVD entry for CVE-2026-42546 provides additional information on the vulnerability. The CVE record was published on 2026-07-06T20:16:33.257Z and was last modified on 2026-07-07T18:56:18.507Z.
Official resources
-
CVE-2026-42546 CVE record
CVE.org
-
CVE-2026-42546 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:33.257Z and has not been modified since then.