Skip to main content

Linux Kernel CVE-2026-46148

| EUVDEUVD-2026-32775 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v9m3-f9j3-xrv6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H over vendor AC:L because the specific multi-device coreQSPI hardware topology is a prerequisite entirely beyond attacker control; C and I remain N per description.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:34 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: microchip-core-qspi: control built-in cs manually

The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.

This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.

Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.

As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.

AnalysisAI

Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.

Technical ContextAI

The coreQSPI IP core is a Quad-SPI peripheral controller found on Microchip PolarFire SoC and related embedded platforms. Its built-in chip select was designed to be managed entirely by hardware: asserted when the transmit buffer is written and de-asserted once the byte count specified in the FRAMES.TOTALBYTES field has been transmitted. The driver historically did not place this CS under software control, relying on the hardware automaton. In multi-device topologies where additional SPI devices use GPIO lines as chip selects, the hardware CS automaton still fires during those unrelated GPIO-CS transactions, placing an unintended low signal on the built-in CS line. The fix transitions CS management to a software-controlled model using set_cs and exec_op callbacks, and removes the per-device setup reconfiguration of CLKIDLE/MASTER/ENABLE that was unsafe to run concurrently. No CWE is assigned; the root cause is a resource management logic error - failure to inhibit or gate the hardware CS path when it is not the intended target of a transaction. Affected product CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade the Linux kernel to 6.18.30, 7.0.7, or 7.1-rc3 (or any later stable release), which contain the corrected spi/microchip-core-qspi driver. Fix commits are available at https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf, https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911, and https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307 for downstream integration. If an immediate kernel upgrade is not feasible, a hardware-topology workaround is to ensure that all SPI devices attached to the coreQSPI controller exclusively use GPIO chip selects (not the built-in CS), which prevents the spurious CS assertion from affecting active devices; this may require board-level changes and is not available in all deployments. Note that the patch removes per-device CLKIDLE reconfiguration from the setup callback; operators relying on device-specific clock idle polarity may need to validate SPI device compatibility after upgrading to the patched kernel.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy