Highjenswikl

**Name of the Vulnerable Software and Affected Versions** OP-TEE versions 3.16.0 through 4.10.x **Description** A use-after-free race condition exists in the shared memory teardown logic of FF-A within SPMC/SP flows. This occurs when OP-TEE is configured as an SPMC for S-EL0 SPs using `CFG SECURE PARTITION=y`. The function `sp mem remove()` frees entries in `smem->receivers` and `smem->regions` without acquiring the global `sp mem lock`. Simultaneously, other code paths like `sp mem get receiver()` iterate over these lists without a lock, or `sp mem is shared()` iterates while holding the lock but is not serialized against the unprotected free operation. This allows a thread to acquire a pointer to an entry, such as `struct sp mem map region` or `struct sp mem receiver`, which is then freed by another thread calling `sp mem remove()`, leading to a use-after-free when the first thread dereferences the pointer. **Recommendations** Update to version 4.11.0.