Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local, low-priv trigger during driver probe on specific hardware; OOB read yields at most a limited info leak (C:L) but can crash the kernel (A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
UBSAN reported an out of bounds access during registration of the last two outputs. This out of bounds access occurs because space is only allocated in the hws array for two PLLs and the four output dividers that each has, but the defined IDs contain two DLLS and their two outputs each, which are not supported by the driver. The ID order is PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs by two while adding them to the array to avoid the problem.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Technical ContextAI
The affected component is drivers/clk/microchip/clk-mpfs-ccc.c, the Common Clock Framework driver for the Clock Conditioning Circuit (CCC) on Microchip's PolarFire SoC, a RISC-V system-on-chip. During probe the driver populates a clk_hw_onecell_data hws array but only allocates space for the two supported PLLs and their four output dividers each. The defined ID enumeration order is PLLs -> DLLs -> PLL outputs -> DLL outputs, and because the two DLLs and their outputs are not supported by the driver, indexing the PLL output IDs directly overshoots the allocated array. This is a classic CWE-125 (Out-of-bounds Read) rooted in an index/allocation-size mismatch; the fix decrements the PLL output IDs by two so they map back into the correctly sized array.
RemediationAI
Vendor-released patch: update to a fixed Linux stable release - 6.1.175, 6.6.140, 6.12.88, 6.18.30 or 7.0.7 (fix also in 7.1-rc1/mainline) - or apply the corresponding stable commit from git.kernel.org (e.g. https://git.kernel.org/stable/c/9ed9b580a814773482c0a4f1be045636e68cc109). For distribution kernels, take the vendor's patched build for your series. If immediate patching is not possible and the platform is not Microchip PolarFire SoC, practical exposure is nil and no urgent action is required. On PolarFire SoC systems where you cannot yet update, a compensating control is to disable/omit the mpfs-ccc clock driver (CONFIG_MCHP_CLK_MPFS_CCC) in the kernel config if the CCC-derived clocks are not needed - the trade-off is loss of those clock outputs, which may break peripherals that depend on them, so validate hardware bring-up before deploying.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35159
GHSA-hjvh-379x-4g57