FKIE_CVE-2026-46148

Vulnerability from fkie_nvd - Published: 2026-05-28 10:16 - Updated: 2026-05-28 13:44
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: control built-in cs manually The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO. This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled. Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use. As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: control built-in cs manually\n\nThe coreQSPI IP supports only a single chip select, which is\nautomagically operated by the hardware - set low when the transmit\nbuffer first gets written to and set high when the number of bytes\nwritten to the TOTALBYTES field of the FRAMES register have been sent on\nthe bus. Additional devices must use GPIOs for their chip selects.\nIt was reported to me that if there are two devices attached to this\nQSPI controller that the in-built chip select is set low while linux\ntries to access the device attached to the GPIO.\n\nThis went undetected as the boards that connected multiple devices to\nthe SPI controller all exclusively used GPIOs for chip selects, not\nrelying on the built-in chip select at all. It turns out that this was\nbecause the built-in chip select, when controlled automagically, is set\nlow when active and high when inactive, thereby ruling out its use for\nactive-high devices or devices that need to transmit with the chip\nselect disabled.\n\nModify the driver so that it controls chip select directly, retaining\nthe behaviour for mem_ops of setting the chip select active for the\nentire duration of the transfer in the exec_op callback. For regular\ntransfers, implement the set_cs callback for the core to use.\n\nAs part of this, the existing setup callback, mchp_coreqspi_setup_op(),\nis removed. Modifying the CLKIDLE field is not safe to do during\noperation when there are multiple devices, so this code is removed\nentirely. Setting the MASTER and ENABLE fields is something that can be\ndone once at probe, it doesn\u0027t need to be re-run for each device.\nInstead the new setup callback sets the built-in chip select to its\ninactive state for active-low devices, as the reset value of the chip\nselect in software controlled mode is low."
    }
  ],
  "id": "CVE-2026-46148",
  "lastModified": "2026-05-28T13:44:01.663",
  "metrics": {},
  "published": "2026-05-28T10:16:30.410",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.