7.8

CVE-2026-53273

tee: optee: prevent use-after-free when the client exits before the supplicant

In the Linux kernel, the following vulnerability has been resolved:

tee: optee: prevent use-after-free when the client exits before the supplicant

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.

If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.

Serialise access to the request with supp->mutex:

  * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
    looking up and touching the request.
  * Let optee_supp_thrd_req() notice that the client has terminated and
    signal optee_supp_send() accordingly.

With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.4.291 < 5.5
LinuxLinux Kernel Version >= 5.10.235 < 5.10.259
LinuxLinux Kernel Version >= 5.15.179 < 5.15.210
LinuxLinux Kernel Version >= 6.1.130 < 6.1.176
LinuxLinux Kernel Version >= 6.6.80 < 6.6.143
LinuxLinux Kernel Version >= 6.12.17 < 6.12.94
LinuxLinux Kernel Version >= 6.13.5 < 6.14
LinuxLinux Kernel Version >= 6.14.1 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version6.14 Update-
LinuxLinux Kernel Version6.14 Updaterc4
LinuxLinux Kernel Version6.14 Updaterc5
LinuxLinux Kernel Version6.14 Updaterc6
LinuxLinux Kernel Version6.14 Updaterc7
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/416259cb5bffecaaae5f76539deb535a8c1b2c34
Patch
https://git.kernel.org/stable/c/724d0caffd4204b46f78efe22f18f8338031c6e1
Patch
https://git.kernel.org/stable/c/ae847ab29ded2d7cece4d5970f0edefa4137bf2f
Patch
https://git.kernel.org/stable/c/9a0dc9279d0907b198f205a693aedf696b08145d
Patch
https://git.kernel.org/stable/c/d366a01475f927402c96a3fe78bfc06b924fc87d
Patch
https://git.kernel.org/stable/c/d5b57bb314d79e99bebb58a53588fa11dd4dbf69
Patch
https://git.kernel.org/stable/c/373152c94e57e9592b68c100e224fbd943cfd608
Patch
https://git.kernel.org/stable/c/387a926ee166814611acecb960207fe2f3c4fd3e
Patch