Overview
CVE-2025-46733 is a critical cybersecurity vulnerability that affects the OP-TEE Trusted Execution Environment (TEE), a companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. This vulnerability is particularly impactful as it could lead to system compromise or data leakage. It is crucial for organizations, cybersecurity professionals, and individuals utilizing this technology to understand the nature of this vulnerability, its potential impact, and the necessary steps for mitigation.
This vulnerability can be exploited by an attacker with access to the REE userspace, enabling them to trigger a panic in a TA, potentially leading to the disruption of system operations or the unauthorized access to sensitive data. Given the widespread use of OP-TEE, this vulnerability could potentially affect a broad range of systems and devices, emphasizing the need for immediate action to mitigate the threat.
Vulnerability Summary
CVE ID: CVE-2025-46733
Severity: Critical – CVSS score 7.9
Attack Vector: Local
Privileges Required: High
User Interaction: None
Impact: System compromise, potential data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
OP-TEE | Version 4.5.0
How the Exploit Works
The vulnerability arises from the handling of return codes in the OP-TEE’s libutee Secure Storage API. Specifically, the return codes of secure storage operations are passed unsanitized from the REE tee-supplicant, through the Linux kernel tee-driver, through the OP-TEE kernel, back to libutee. An attacker with access to REE userspace and the ability to replace the tee-supplicant with their own process can exploit this vulnerability, responding to storage requests with unexpected response codes, which in turn trigger a panic in the requesting TA.
This vulnerability is particularly potent for TAs built with `TA_FLAG_SINGLE_INSTANCE` and `TA_FLAG_INSTANCE_KEEP_ALIVE`. An attacker who can trigger a panic in the TA and reload it with a clean memory space can manipulate the behavior of these TAs. A prime example is the optee_ftpm TA, where the attacker could reset the PCR values and extend them with their chosen values, potentially leading to falsified boot measurements and unauthorized access to sealed data.
Conceptual Example Code
While there is no specific example code for this exploit, the concept involves replacing the tee-supplicant binary with a malicious one, capable of responding to storage requests with unexpected response codes. This could be conceptually represented as:
# Stop the tee-supplicant
killall tee-supplicant
# Execute malicious tee-supplicant
./malicious_tee-supplicantIn the above pseudo-code, `malicious_tee-supplicant` would be a specially crafted binary that responds to storage requests with unexpected response codes, triggering a panic in the requesting TA.