CVE-2026-46192: Linux Microchip QSPI Driver Read Failure Vulnerability
A flaw exists in the Linux kernel's Microchip QSPI (Quad SPI) driver that causes read operations to fail when using dual or quad-mode communication. The driver incorrectly attempts to transmit garbage data to generate clock cycles during read-only operations, but QSPI lacks a dedicated output line for this purpose in these modes. This causes the transfer to stall, effectively making data reads unreliable or impossible on affected systems using this driver.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46192 is a logic error in the microchip-core-qspi driver within the Linux kernel. During emulated read-only operations in dual or quad-mode QSPI, the driver attempts to generate clock cycles by transmitting data on a bus that lacks the necessary master-out signal path in those modes. The QSPI core is designed to handle read clock generation internally; the driver's transmission of garbage data either corrupts the bus state or causes the core to lose synchronization between send and receive states, resulting in broken transfers.
Business impact
Systems relying on Microchip QSPI controllers for storage or peripheral access may experience data corruption, loss of access to flash memory, or system instability during read operations. This is particularly impactful for embedded and IoT devices that depend on QSPI for boot code, configuration, or runtime data retrieval. Affected deployments may require reboots or fail to initialize correctly, reducing availability and reliability.
Affected systems
The Linux kernel is affected across versions containing the vulnerable microchip-core-qspi driver code. Impact is limited to systems using Microchip QSPI controllers in dual or quad-mode configurations. This includes various embedded platforms, development boards, and IoT devices that rely on the Microchip QSPI hardware interface and the affected driver version.
Exploitability
Exploitation requires local access to the system and the ability to trigger a QSPI read operation in dual or quad mode—typically through normal file I/O, memory-mapped access, or bootloader operations. No special privileges or user interaction is required beyond initiating a read; the flaw triggers automatically during such operations. Practical exploitation occurs passively whenever the affected driver attempts a dual/quad-mode read.
Remediation
Update the Linux kernel to a version that includes the fix for the microchip-core-qspi driver. The patch removes the erroneous transmission logic during read-only dual/quad operations, allowing the QSPI core to manage clock generation internally. Verify the specific patched version against the Linux kernel security advisories and your distribution's update channels.
Patch guidance
Apply the latest kernel updates from your Linux distribution or kernel.org that address CVE-2026-46192. Coordinate patching with system availability windows, as kernel updates typically require a reboot. Test patches in a non-production environment first, especially for embedded systems dependent on QSPI for boot functionality. Verify that storage and peripheral access functions normally after patching.
Detection guidance
Monitor system logs for QSPI-related errors, transfer failures, or timeouts during read operations. On affected systems, you may observe file I/O errors, failed boot sequences, or memory access anomalies when QSPI is active in dual/quad mode. Use kernel debugging tools to inspect QSPI controller state during failures. Correlate issues with confirmed use of the Microchip QSPI driver and dual/quad-mode configuration.
Why prioritize this
Although unassigned to the CISA Known Exploited Vulnerabilities (KEV) catalog, this flaw carries a MEDIUM severity rating with high availability impact. It affects a specialized hardware interface likely present in targeted embedded and IoT deployments rather than general-purpose systems. Organizations running Linux on Microchip QSPI platforms should prioritize patching to restore data access reliability, but broader enterprise networks may defer based on their hardware footprint.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack surface, low complexity, and no requirement for special privileges. The severity is driven by high availability impact—the flaw completely breaks QSPI read functionality—but integrity and confidentiality are not directly compromised. The score appropriately captures a localized but serious disruption to systems that depend on the affected driver.
Frequently asked questions
Does this vulnerability allow remote code execution or data theft?
No. This is an availability flaw that breaks QSPI read operations. It does not enable privilege escalation, code execution, or data exfiltration. The impact is confined to data access reliability on systems using the affected driver and hardware.
Which devices are most at risk?
Embedded systems, IoT devices, and development boards using Microchip QSPI controllers—particularly those that boot from or depend on QSPI flash memory and use dual or quad-mode communication. Consumer routers, industrial controllers, and ARM-based single-board computers are common examples.
Do I need to physically access the device to trigger this flaw?
No. Any local process that initiates a QSPI read operation in dual or quad mode will trigger the flaw automatically. For devices that boot from QSPI, the vulnerability may manifest at startup. For running systems, it occurs whenever the driver attempts a dual/quad-mode read.
What happens if I ignore this vulnerability?
QSPI read operations will fail or stall, potentially rendering the device unbootable or unable to access storage and peripherals that depend on the QSPI interface. The impact depends on how critical QSPI is to your system's operation.
This analysis is based on available CVE and vendor data as of the publication date. Patch availability, affected product versions, and mitigation steps should be verified against official Linux kernel advisories and vendor documentation. Organizations should conduct their own risk assessment based on their specific hardware configurations and deployment models. SEC.co does not provide legal advice or guarantees regarding vulnerability impact or remediation success. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure