CVE-2022-46152
8.2 HIGHOP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment
Published: 2022-11-29 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 8.2 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-129
Affected products
| Vendor | Product |
|---|---|
| trustedfirmware | op-tee |
Description
OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2022-46152
- [Other]https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257
- [Patch]https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c
- [Exploit reference]https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7
- [Other]https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1
- [Other]https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257
- [Patch]https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c
- [Exploit reference]https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7
- [Other]https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1
Related CVEs
Same vendor
- CVE-2026-45702 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.4 MEDIUM)
- CVE-2026-45614 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.7 MEDIUM)
- CVE-2026-40290 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.8 HIGH)
- CVE-2026-33662 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.5 HIGH)
- CVE-2026-33317 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (8.7 HIGH)
Same CWE
- CVE-2026-45624 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.1 MEDIUM)
- CVE-2026-45359 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.7 MEDIUM)
- CVE-2026-24181 — NVIDIA DALI contains a vulnerability in a component where an attacker could cause an improper index validation (7.3 HIGH)
- CVE-2026-25276 — Memory corruption while using Strongbox due to missing bounds check (8.8 HIGH)
- CVE-2026-46163 — In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX pa... (7.8 HIGH)