CVE-2026-33317
Published: 24 April 2026
Summary
CVE-2026-33317 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linaro Op-Tee. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs like template parameters to enforce bounds checking, directly preventing OOB reads and writes in entry_get_attribute_value().
Implements memory protection mechanisms to safeguard the PKCS#11 TA heap against unauthorized OOB access and exploitation.
Mandates timely flaw remediation through application of OP-TEE patches that add missing checks to fix the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local OOB read/write in OP-TEE PKCS#11 TA crosses REE/TEE security boundary (S:C), directly enabling exploitation for privilege escalation to access secure-world data and for credential access by leaking/modifying sensitive PKCS#11 object attributes or heap contents.
NVD Description
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read…
more
from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.
Deeper analysisAI
CVE-2026-33317 affects OP-TEE, a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel on Arm Cortex-A cores using TrustZone technology. The vulnerability stems from missing checks in the `entry_get_attribute_value()` function located in `ta/pkcs11/src/object.c`, present in versions 3.13.0 through 4.10.0. This flaw enables an out-of-bounds (OOB) read from the PKCS#11 Trusted Application (TA) heap, potentially causing a crash. When chained with the OOB read, the PKCS#11 TA functions `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can be exploited using a malformed template parameter to read at most 7 bytes beyond the end of the template buffer and write beyond the buffer's end using content from a PKCS#11 object attribute value. It is associated with CWE-125 (OOB read) and CWE-787 (OOB write), with a CVSS v3.1 base score of 8.7 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. The high scope (S:C) allows impact across security boundaries, enabling high confidentiality and integrity effects—such as unauthorized disclosure or modification of sensitive data in the TEE—alongside low availability impact from potential crashes.
Mitigation is provided through patches in OP-TEE commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca, which are anticipated to be included in version 4.11.0. Additional details are available in the GitHub Security Advisory at GHSA-8cqw-mg7v-c9p9 and the referenced commit pages.
Details
- CWE(s)