Source: optee-os Version: 4.10.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for optee-os. CVE-2026-45702[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 4.3.0 and | prior to version 4.11.0, a type confusion vulnerability exists in | OP-TEE OS when processing an FFA_MEM_SHARE request from the normal | world. This only applies when OP-TEE is configured as an SPMC for | S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and | `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45702 https://www.cve.org/CVERecord?id=CVE-2026-45702 [1] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-86pj-8xgw-66p5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
