{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T13:12:41.086","vulnerabilities":[{"cve":{"id":"CVE-2023-41325","sourceIdentifier":"security-advisories@github.com","published":"2023-09-15T20:15:10.800","lastModified":"2024-11-21T08:21:04.620","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, `shdr_verify_signature` can make a double free. `shdr_verify_signature` used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (`sw_crypto_acipher_alloc_rsa_public_key`) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable `e`, `n`) and it allocation is not atomic way, so it may succeed in `e` but fail in `n`. In this case sw_crypto_acipher_alloc_rsa_public_key` will free on `e` and return as it is failed but variable ‘e’ is remained as already freed memory address . `shdr_verify_signature` will free again that memory (which is `e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available."},{"lang":"es","value":"OP-TEE es un Entorno de Ejecución Confiable (TEE) diseñado como complemento de un kernel de Linux no seguro que se ejecuta en Arm; Núcleos Cortex-A que utilizan la tecnología TrustZone. A partir de la versión 3.20 y anteriores a la versión 3.22, `shdr_verify_signature` puede hacer un doble libremente. `shdr_verify_signature` se usa para verificar un binario TA antes de cargarlo. Para verificar una firma del mismo, asigne una memoria para la clave RSA. La función de asignación de clave RSA (`sw_crypto_acipher_alloc_rsa_public_key`) intentará asignar una memoria (que es la memoria del montón del candidato). La clave RSA consta de exponente y módulo (representados como variables `e`, `n`) y su asignación no es de forma atómica, por lo que puede tener éxito en `e` pero fallar en `n`. En este caso, sw_crypto_acipher_alloc_rsa_public_key` se liberará en `e` y regresará cuando falló, pero la variable “e” permanece como dirección de memoria ya liberada. `shdr_verify_signature` liberará nuevamente esa memoria (que es `e`), incluso si se libera cuando no se pudo asignar la clave RSA. Hay un parche disponible en la versión 3.22. No hay workarounds conocidos disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.1,"impactScore":5.8},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:*","versionStartIncluding":"3.20.0","versionEndExcluding":"3.22.0","matchCriteriaId":"F01EDA96-EF6E-4A65-8831-4B42ED235B96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linaro:op-tee:3.22.0:rc1:*:*:*:*:*:*","matchCriteriaId":"D516A715-0899-4350-9992-FF21D31AD67B"}]}]}],"references":[{"url":"https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/OP-TEE/optee_os/commit/e2ec831cb07ed0099535c7c140cb6338aa62816a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/OP-TEE/optee_os/security/advisories/GHSA-jrw7-63cq-7vhm","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]}]}}]}