Cyber Resilience

CVE-2026-40290

HighPublic PoC

Published: 03 June 2026

Published
03 June 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 3.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40290 is a high-severity Use After Free (CWE-416) vulnerability in Trustedfirmware Op-Tee. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the…

more

shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-33317Same product: Trustedfirmware Op-Tee
CVE-2026-33662Same product: Trustedfirmware Op-Tee
CVE-2026-34875Same vendor: Trustedfirmware
CVE-2026-34873Same vendor: Trustedfirmware
CVE-2026-34874Same vendor: Trustedfirmware
CVE-2026-34876Same vendor: Trustedfirmware
CVE-2026-25833Same vendor: Trustedfirmware
CVE-2026-8016Shared CWE-416
CVE-2026-8530Shared CWE-416
CVE-2026-9901Shared CWE-416

Affected Assets

trustedfirmware
op-tee
3.16.0 — 4.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References