MEDIUM 5.5

CVE-2026-46192: Linux Microchip QSPI Driver Read Failure Vulnerability

A flaw exists in the Linux kernel's Microchip QSPI (Quad SPI) driver that causes read operations to fail when using dual or quad-mode communication. The driver incorrectly attempts to transmit garbage data to generate clock cycles during read-only operations, but QSPI lacks a dedicated output line for this purpose in these modes. This causes the transfer to stall, effectively making data reads unreliable or impossible on affected systems using this driver.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46192 is a logic error in the microchip-core-qspi driver within the Linux kernel. During emulated read-only operations in dual or quad-mode QSPI, the driver attempts to generate clock cycles by transmitting data on a bus that lacks the necessary master-out signal path in those modes. The QSPI core is designed to handle read clock generation internally; the driver's transmission of garbage data either corrupts the bus state or causes the core to lose synchronization between send and receive states, resulting in broken transfers.

Business impact

Systems relying on Microchip QSPI controllers for storage or peripheral access may experience data corruption, loss of access to flash memory, or system instability during read operations. This is particularly impactful for embedded and IoT devices that depend on QSPI for boot code, configuration, or runtime data retrieval. Affected deployments may require reboots or fail to initialize correctly, reducing availability and reliability.

Affected systems

The Linux kernel is affected across versions containing the vulnerable microchip-core-qspi driver code. Impact is limited to systems using Microchip QSPI controllers in dual or quad-mode configurations. This includes various embedded platforms, development boards, and IoT devices that rely on the Microchip QSPI hardware interface and the affected driver version.

Exploitability

Exploitation requires local access to the system and the ability to trigger a QSPI read operation in dual or quad mode—typically through normal file I/O, memory-mapped access, or bootloader operations. No special privileges or user interaction is required beyond initiating a read; the flaw triggers automatically during such operations. Practical exploitation occurs passively whenever the affected driver attempts a dual/quad-mode read.

Remediation

Update the Linux kernel to a version that includes the fix for the microchip-core-qspi driver. The patch removes the erroneous transmission logic during read-only dual/quad operations, allowing the QSPI core to manage clock generation internally. Verify the specific patched version against the Linux kernel security advisories and your distribution's update channels.

Patch guidance

Apply the latest kernel updates from your Linux distribution or kernel.org that address CVE-2026-46192. Coordinate patching with system availability windows, as kernel updates typically require a reboot. Test patches in a non-production environment first, especially for embedded systems dependent on QSPI for boot functionality. Verify that storage and peripheral access functions normally after patching.

Detection guidance

Monitor system logs for QSPI-related errors, transfer failures, or timeouts during read operations. On affected systems, you may observe file I/O errors, failed boot sequences, or memory access anomalies when QSPI is active in dual/quad mode. Use kernel debugging tools to inspect QSPI controller state during failures. Correlate issues with confirmed use of the Microchip QSPI driver and dual/quad-mode configuration.

Why prioritize this

Although unassigned to the CISA Known Exploited Vulnerabilities (KEV) catalog, this flaw carries a MEDIUM severity rating with high availability impact. It affects a specialized hardware interface likely present in targeted embedded and IoT deployments rather than general-purpose systems. Organizations running Linux on Microchip QSPI platforms should prioritize patching to restore data access reliability, but broader enterprise networks may defer based on their hardware footprint.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack surface, low complexity, and no requirement for special privileges. The severity is driven by high availability impact—the flaw completely breaks QSPI read functionality—but integrity and confidentiality are not directly compromised. The score appropriately captures a localized but serious disruption to systems that depend on the affected driver.

Frequently asked questions

Does this vulnerability allow remote code execution or data theft?

No. This is an availability flaw that breaks QSPI read operations. It does not enable privilege escalation, code execution, or data exfiltration. The impact is confined to data access reliability on systems using the affected driver and hardware.

Which devices are most at risk?

Embedded systems, IoT devices, and development boards using Microchip QSPI controllers—particularly those that boot from or depend on QSPI flash memory and use dual or quad-mode communication. Consumer routers, industrial controllers, and ARM-based single-board computers are common examples.

Do I need to physically access the device to trigger this flaw?

No. Any local process that initiates a QSPI read operation in dual or quad mode will trigger the flaw automatically. For devices that boot from QSPI, the vulnerability may manifest at startup. For running systems, it occurs whenever the driver attempts a dual/quad-mode read.

What happens if I ignore this vulnerability?

QSPI read operations will fail or stall, potentially rendering the device unbootable or unable to access storage and peripherals that depend on the QSPI interface. The impact depends on how critical QSPI is to your system's operation.

This analysis is based on available CVE and vendor data as of the publication date. Patch availability, affected product versions, and mitigation steps should be verified against official Linux kernel advisories and vendor documentation. Organizations should conduct their own risk assessment based on their specific hardware configurations and deployment models. SEC.co does not provide legal advice or guarantees regarding vulnerability impact or remediation success. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).