OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology…

CVE-2026-33317 affects OP-TEE (Trusted Execution Environment) versions 3.13.0 through 4.10.0, specifically in the PKCS#11 Trusted Application component. The vulnerability stems from missing validation checks in the entry_get_attribute_value() function located in ta/pkcs11/src/object.c. This flaw can lead to out-of-bounds read operations from the PKCS#11 TA heap, potentially causing system crashes. When exploited through the PKCS11_CMD_GET_ATTRIBUTE_VALUE function with malicious template parameters, attackers can read up to 7 bytes beyond buffer boundaries and write beyond template buffer limits. The vulnerability has been addressed through three commits that will be included in version 4.11.0. Given OP-TEE's role as a security-critical component running on ARM TrustZone technology, this buffer overflow vulnerability poses significant risks to system integrity.