Skip to main content

Linux Kernel CVE-2026-46203

| EUVDEUVD-2026-32830 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j454-pvhh-fcmq
High
Disputed · 7.1 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 17:07 vuln.today
CVSS changed
Jun 10, 2026 - 17:07 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: cadence-quadspi: fix unclocked access on unbind

Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.

This issue was flagged by Sashiko when reviewing a controller deregistration fix.

AnalysisAI

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Technical ContextAI

The flaw resides in drivers/spi/spi-cadence-quadspi.c, the driver for Cadence's Quad SPI controller commonly used on embedded ARM/RISC-V SoCs for accessing flash memory. When the driver is unbound, it attempts to disable the controller by writing to its registers without first ensuring the device is runtime-resumed via the kernel's Runtime Power Management framework. If the controller is in a runtime-suspended state (clocks gated), this register access occurs while the IP block is unclocked, leading to undefined behavior such as bus hangs, stale data reads, or memory corruption. The CWE-125 (Out-of-bounds Read) classification reflects that unclocked MMIO reads may return uninitialized or arbitrary bus data, exposed through register operations on a powered-down peripheral.

RemediationAI

Vendor-released patch: upgrade to Linux 7.0.9 or 7.1-rc2 (and later), which call pm_runtime_get_sync() before disabling the controller during unbind, as committed in 233db2cb14db8 and d67a5311818b3. Distribution users should apply stable kernel updates from their vendor (Red Hat, Debian, Ubuntu, SUSE) once these commits are backported. As a workaround until patched, avoid unbinding the spi-cadence-quadspi driver at runtime (do not write to /sys/bus/platform/drivers/cadence-qspi/unbind) and restrict CAP_SYS_ADMIN; on systems that do not use Cadence Quad SPI, ensure the module is not loaded (blacklist spi-cadence-quadspi in modprobe.d) - the trade-off is loss of runtime driver management for that controller. The commits are linked at https://git.kernel.org/stable/c/233db2cb14db8b1935dda52a6affd97276462b82 and https://git.kernel.org/stable/c/d67a5311818b3e6481a1e4293c9337ebfee73111.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy