CVE-2022-46152

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-46152

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46152.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-46152

Aliases

GHSA-65w8-6mrg-52g7

Published

2022-11-29T00:00:00Z

Modified

2026-04-10T04:52:57.537117Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

OP-TEE Trusted OS vulnerable to Improper Validation of Array Index in the cleanup_shm_refs function

Details

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function cleanup_shm_refs() is called by both entry_invoke_command() and entry_open_session(). The commands OPTEE_MSG_CMD_OPEN_SESSION and OPTEE_MSG_CMD_INVOKE_COMMAND can be executed from the normal world via an OP-TEE SMC. This function is not validating the num_params argument, which is only limited to OPTEE_MSG_MAX_NUM_PARAMS (127) in the function get_cmd_buffer(). Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in cleanup_shm_refs and potentially freeing of fake-objects in the function mobj_put(). A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-129"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46152.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/op-tee/optee_os

Affected ranges

Type

GIT

Repo

https://github.com/op-tee/optee_os

Events

Introduced

Fixed

afacf356f9593a7f83cae9f96026824ec242ff52

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.19.0"
        }
    ]
}

Affected versions

0.*

0.1.0

0.2.0

0.3.0

1.*

1.0.0

1.0.0-rc1

1.0.0-rc2

1.0.1

1.1.0

2.*

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.5.0-rc1

2.5.0-rc2

2.6.0

2.6.0-rc1

Other

20160825-for-lmg

3.*

3.0.0

3.0.0-rc1

3.0.0-rc2

3.1.0

3.1.0-rc1

3.10.0

3.10.0-rc1

3.11.0

3.11.0-rc1

3.12.0

3.12.0-rc1

3.13.0

3.13.0-rc1

3.14.0

3.14.0-rc1

3.15.0

3.15.0-rc1

3.16.0

3.17.0

3.17.0-rc1

3.18.0

3.18.0-rc1

3.19.0-rc1

3.2.0

3.2.0-rc1

3.3.0

3.3.0-rc2

3.4.0

3.4.0-rc1

3.5.0

3.5.0-rc1

3.6.0

3.6.0-rc1

3.7.0

3.7.0-rc1

3.8.0

3.8.0-rc1

3.9.0

3.9.0-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46152.json"