HIGH 7.1

CVE-2026-46203: Linux Cadence QuadSPI Unclocked Register Access Vulnerability

A flaw in the Linux kernel's Cadence QuadSPI controller driver can cause the system to access hardware registers without proper power management during driver shutdown. When the driver is unloaded, it attempts to disable the controller without ensuring the hardware is powered up first, potentially causing system instability or data corruption. This is a local issue requiring user-level access to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: fix unclocked access on unbind Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access. This issue was flagged by Sashiko when reviewing a controller deregistration fix.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46203 is a power management bug in the Linux kernel's spi/cadence-quadspi driver. During unbind operations, the driver disables the controller without first resuming it from runtime power management suspension, resulting in unclocked register access. The vulnerability stems from improper sequencing of hardware state transitions during deregistration. The issue was identified during code review of controller deregistration logic and is addressed by adding a runtime_pm_get_sync() call before the disable operation to ensure the controller is clocked and accessible.

Business impact

Systems relying on Cadence QuadSPI controllers for SPI flash memory access (common in embedded Linux systems, IoT devices, and automotive platforms) may experience unexpected behavior during driver unload events. Potential impacts include kernel hangs, data corruption, or system crashes when the driver is removed or the system is shut down. Organizations managing fleets of embedded Linux devices with these controllers should prioritize assessment and patching to prevent field failures and support escalations.

Affected systems

The Linux kernel is affected across versions that include the vulnerable cadence-quadspi driver. Systems using Cadence QuadSPI controllers for SPI NOR flash access are at risk. This includes embedded Linux deployments, industrial controllers, automotive systems, and network appliances that rely on this driver for boot firmware or data storage access. Desktop and server systems are less commonly affected unless they include specialized SPI controller hardware.

Exploitability

Exploitation requires local access to the system and the ability to trigger driver unbind operations, such as through sysfs manipulation or system shutdown sequences. An unprivileged local user cannot directly exploit this; however, any user with privileges to unload kernel modules or trigger system state changes could inadvertently trigger the flaw. The vulnerability is more likely to manifest during normal system operations like reboot or driver reload rather than through deliberate attack, making opportunistic triggering feasible in multi-user environments.

Remediation

Apply the kernel patch that adds runtime power management resumption before controller disable during unbind. The fix ensures the controller is in an active, clocked state before register access occurs. Verify the patch version against the official Linux kernel repository and your distribution's security advisories. Kernel rebuilds may be necessary for systems running custom kernels. Test updates in non-production environments to confirm stability with your specific SPI controller hardware before broad deployment.

Patch guidance

Obtain the patched kernel version from your Linux distribution's security repository or kernel.org. The fix involves ensuring runtime_pm_get_sync() is called on the controller before attempting disable operations. Check your vendor's kernel update timeline and apply through standard package management (apt, yum, zypper, etc.). For embedded or customized kernels, refer to the Linux kernel mainline commit addressing this issue and backport if necessary. Verify the patch through your distribution's release notes or security advisory documentation.

Detection guidance

Monitor system logs for kernel warnings or errors related to cadence-quadspi driver operations, particularly during driver unload or system shutdown. Look for clock-related error messages or register access warnings. On affected systems, isolate driver load/unload events and note any kernel warnings or system instability correlated with these operations. Implement monitoring for unexpected system hangs or crashes during reboot cycles on systems with Cadence QuadSPI hardware. Kernel debugging tools and dmesg examination are primary detection methods; runtime behavioral indicators may be subtle unless corruption occurs.

Why prioritize this

Although not yet on the CISA Known Exploited Vulnerabilities catalog, the HIGH severity rating (7.1 CVSS) and impact on data integrity warrant prompt attention. The vulnerability affects core SPI flash access in embedded systems, where controller failures can cascade into boot failures or data loss. Organizations with Cadence QuadSPI-dependent infrastructure should prioritize this during regular patch cycles to prevent unexpected downtime and ensure system reliability during routine maintenance operations.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects: local attack vector (AV:L), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and high availability impact (A:H). The high confidentiality and availability impacts are driven by the potential for information disclosure through unclocked access and system unavailability through crashes or hangs. The local privilege requirement and local attack surface limit the score from critical, but the combination of data exposure and system instability justifies the HIGH severity rating.

Frequently asked questions

Does this vulnerability affect my Linux system?

Only if your system includes a Cadence QuadSPI SPI controller and the vulnerable kernel driver is active. This is primarily relevant to embedded Linux systems, IoT devices, automotive platforms, and specialized hardware. Most consumer desktop and server systems are unaffected. Check your hardware specifications and kernel configuration to determine exposure.

Can this be exploited remotely or without user privileges?

No. The vulnerability requires local system access and at minimum the ability to trigger driver unbind operations. An unprivileged user cannot directly exploit it, though privileged users or system administrators can inadvertently trigger it during normal operations like driver reload or system shutdown.

What happens if I apply this patch? Will it affect system functionality?

The patch only adds a power management state check before hardware disable. No functional behavior changes; instead, it prevents potential crashes or data corruption. Systems should be more stable and reliable after patching, particularly during driver unload events and system shutdown.

Is there a workaround if I cannot patch immediately?

The primary risk occurs during driver unbind operations. Minimize driver reload and system restart cycles on affected hardware until patching is possible. However, a patch should be prioritized and applied as soon as your Linux distribution releases it, as the workaround is not a long-term solution.

This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. Actual impact, affected versions, and patch availability vary by Linux distribution and vendor. Always verify patch availability, compatibility, and test in controlled environments before deploying to production systems. Consult your Linux vendor's official security advisory for authoritative guidance on affected versions, patch status, and timelines. The CVSS score provided is the official rating issued with this CVE; severity assessment should be contextualized to your specific infrastructure and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).