CVE-2026-33317

HIGH

OP-TEE 3.13.0-4.10.0 - Out-of-bounds Read in PKCS#11 TA Heap via Bad Template Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-33317. PoCs published by adminlove520, qianfei11.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-33317, demonstrating a heap buffer overflow in PKCS#11 TA's C_GetAttributeValue via an undersized attrs_size. The PoC includes detailed technical analysis, reproduction steps, and a runnable exploit that triggers the vulnerability using AddressSanitizer.

Description

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in `entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the PKCS#11 TA heap or a crash. When chained with the OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or `entry_get_attribute_value()` can, with a bad template parameter, be tricked into reading at most 7 bytes beyond the end of the template buffer and writing beyond the end of the template buffer with the content of an attribute value of a PKCS#11 object. Commits e031c4e562023fd9f199e39fd2e85797e4cbdca9, 16926d5a46934c46e6656246b4fc18385a246900, and 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are anticipated to be part of version 4.11.0.

Exploits (2)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33317

This repository contains a functional exploit PoC for CVE-2026-33317, demonstrating a heap buffer overflow in PKCS#11 TA's C_GetAttributeValue via an undersized attrs_size. The PoC includes detailed technical analysis, reproduction steps, and a runnable exploit that triggers the vulnerability using AddressSanitizer.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OP-TEE OS PKCS#11 TA (versions before 4.11)
No auth needed
Prerequisites: OP-TEE OS commit 06c4e95e469c9c89e9ba4a6915d1be7bb8ea6fbc · GCC with AddressSanitizer support
devstral-2 · analyzed May 18, 2026 Full analysis →
github WORKING POC
by qianfei11 · cpoc
https://github.com/qianfei11/CVE-2026-33317

This repository contains a functional exploit PoC for CVE-2026-33317, demonstrating a heap buffer overflow in PKCS#11 TA's C_GetAttributeValue via an undersized attrs_size. The PoC includes detailed technical analysis, reproduction steps, and a runnable exploit harness with AddressSanitizer validation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OP-TEE OS PKCS#11 Trusted Application (TA) versions before 4.11
No auth needed
Prerequisites: OP-TEE OS commit 06c4e95e469c9c89e9ba4a6915d1be7bb8ea6fbc · GCC with AddressSanitizer support
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.7
EPSS 0.0001
EPSS Percentile 3.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-125 CWE-787
Status published
Products (3)
linaro/op-tee 3.13.0 - 4.10.0
OP-TEE/optee_os >= 3.13.0, <= 4.10.0
trustedfirmware/op-tee 3.13.0 - 4.10.0
Published Apr 24, 2026
Tracked Since Apr 24, 2026