CVE-2026-40290

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with CFG SECURE PARTITION=y. The function sp mem remove(), responsible for freeing entries in smem->receivers and smem->regions, fails to acquire the global sp mem lock before performing the free() operations. Concurrently, other code paths, such as sp mem get receiver(), iterate over these same lists without holding a lock, or, like sp mem is shared(), iterate while holding the lock but are not serialized against the unprotected free() in sp mem remove(). This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., struct sp mem map region or struct sp mem receiver), and then another thread calls sp mem remove(), freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue.