- Package:
- src:optee-os
- Source:
- src:optee-os
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-23 16:37:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for optee-os. CVE-2026-40290[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.16.0 and | prior to 4.11.0, a user-after-free (UAF) race condition exists in | the shared memory teardown logic of FF-A within OP-TEE SPMC/SP | flows. This only applies when OP-TEE is configured as an SPMC for | S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function | `sp_mem_remove()`, responsible for freeing entries in | `smem->receivers` and `smem->regions`, fails to acquire the global | `sp_mem_lock` before performing the `free()` operations. | Concurrently, other code paths, such as `sp_mem_get_receiver()`, | iterate over these same lists without holding a lock, or, like | `sp_mem_is_shared()`, iterate while holding the lock but are not | serialized against the unprotected `free()` in `sp_mem_remove()`. | This creates a cross-thread race where a thread iterating the list | can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` | or `struct sp_mem_receiver`), and then another thread calls | `sp_mem_remove()`, freeing the object. When the first thread resumes | and dereferences the pointer, it results in a Use-After-Free | vulnerability. Version 4.11.0 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-40290 https://www.cve.org/CVERecord?id=CVE-2026-40290 [1] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-332c-xr93-849m Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1138878 in optee-os reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/optee-os/-/commit/ec9346030e43c8cb34ad7fe684b06a7cea9f7c69 Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com> ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138878
We believe that the bug you reported is fixed in the latest version of
optee-os, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138878@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <daissi@debian.org> (supplier of updated optee-os package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 18:14:28 +0200
Source: optee-os
Architecture: source
Version: 4.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Dylan Aïssi <daissi@debian.org>
Changed-By: Dylan Aïssi <daissi@debian.org>
Closes: 1138878 1138879 1138880
Changes:
optee-os (4.10.0-2) unstable; urgency=medium
.
* Import upstream patches fixing:
- CVE-2026-40290 (Closes: #1138878)
- CVE-2026-45614 (Closes: #1138879)
- CVE-2026-45702 (Closes: #1138880)
Checksums-Sha1:
8cf8f03bcd85b3822f36d0680873955674ea7a1a 2080 optee-os_4.10.0-2.dsc
0fb93a3771f6266982cbcd28c56322d48caf91ec 15960 optee-os_4.10.0-2.debian.tar.xz
c20b30d750259912d2066dda2864978fe2249b36 6622 optee-os_4.10.0-2_source.buildinfo
Checksums-Sha256:
3775e59ac3b9193294533ec2d3511aea02ef0c08a906a96c100adbeeac1f13cc 2080 optee-os_4.10.0-2.dsc
4f0bad3d39b5623da371845a337bfcae826916e871c54f35017c9931178f01d4 15960 optee-os_4.10.0-2.debian.tar.xz
5e88dc9d1996c2b40c565af71de9b632def0c3ee451e4dde6f5895ba32bb233b 6622 optee-os_4.10.0-2_source.buildinfo
Files:
8a809fc33e4157c188e71e767d417075 2080 devel optional optee-os_4.10.0-2.dsc
2a1386ed7a92f26faebec6aedc3bce6e 15960 devel optional optee-os_4.10.0-2.debian.tar.xz
78e0fdc02a427644f52cbdc5b3a3c960 6622 devel optional optee-os_4.10.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqOrE6CRBhLvFhPgUPVEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeZ6/8MTgMgFAd6NAg5gbk53MOrXSZTVf3gimgg23bz
6RYhBJo8B70G3i9BboE6XWEu8WE+BQ9UAADc5hAAopLYmaGhDxaCUprTQ6+MLPcl
OIs46++/2XwBRI9NuJZFlwstGasduZHpepQDKksE82SVmTTJlPS4xXV8zlaPgqS6
63fp7mW4wKDUU4nVl7UcrEIUMAXoHnswiu9HQZc4bI6ldQkrlboF3do4UEmyZIBX
rb2qL8uT+bv7kzatZnJ1mKvTXE3nj1A61srniTk316voaCsMTSUTeyzZDccgZDCx
BOHKhNdIvd4ueirYZ2WD8PJnWV+WbEkye3MGQcvNj1qI2i8X/gGCCMzecbr2OK+b
HUUsokredlAKsJaDDHP2XzGkvXwuZIOXj0+OSPrW3RQ6sAa6vR1P9LKqqCePzOkA
H4YMay2iNSVONr9h7GX9k3lkGlDsLdOYH31zmbw8TFTDilfZ2a6JSOi1+RDA4T7A
vkX7RHIxQtUESoTxVIrzEa4zRLguK+Rm+w7UeubAibCsN6rCNhONi/7VqH1mb2yJ
E2CTQAOWINa3PEvBcGLpUb3hPDz5/cRnYGLMjyEObfv5pQOugJiWtGymx4ErtLqJ
nnXmZjBPT7T5fKxA2XE4ZoxlYNw+0MZTYnvTMqtc5HvrfcciThmViwkli3VKJEdS
FczyPZkUD4KPQFHjd88BGcvjddprhMy8vWChDCXtrEAthX84UkBqWzZtdl6lnUqt
L6R+eadl16ewr60r8rM=
=Xh6U
-----END PGP SIGNATURE-----