HIGH 7.1

CVE-2026-46293: Linux Microchip Clock Driver Out-of-Bounds Memory Access

A Linux kernel vulnerability exists in the Microchip PolarFire SoC clock controller driver where the software attempts to write data to memory locations outside the bounds of an allocated array during clock output registration. Specifically, when the driver registers the last two clock outputs, it accesses array indices that were never allocated, corrupting adjacent memory. This occurs because the code defines space for two PLLs and their outputs but fails to properly offset the array indices when handling DLL (Delay-Locked Loop) outputs that the driver doesn't actually support. An attacker with local access can exploit this to read sensitive kernel memory or cause a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: clk: microchip: mpfs-ccc: fix out of bounds access during output registration UBSAN reported an out of bounds access during registration of the last two outputs. This out of bounds access occurs because space is only allocated in the hws array for two PLLs and the four output dividers that each has, but the defined IDs contain two DLLS and their two outputs each, which are not supported by the driver. The ID order is PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs by two while adding them to the array to avoid the problem.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46293 involves an out-of-bounds read/write vulnerability (CWE-125) in the Linux kernel's Microchip Clock and Conditioning Controller (mpfs-ccc) driver, specifically in the output registration function. The driver allocates an hws array sized for two PLLs with four output dividers each, but the ID enumeration includes two additional unsupported DLLs and their outputs. When the driver processes the last two outputs, it uses unadjusted array indices that exceed the allocated buffer. The UBSAN (Undefined Behavior Sanitizer) runtime check detects memory corruption during device initialization. A fix is available that decrements PLL output IDs by two before adding them to the array, ensuring indices remain within bounds.

Business impact

Exploitation could enable local privilege escalation or information disclosure on systems running vulnerable kernel versions with the Microchip clock driver enabled. Affected devices typically include embedded systems and FPGA development boards using the PolarFire SoC architecture. Denial of service is also possible through kernel panic. Organizations deploying such hardware should prioritize patching to prevent memory corruption exploits and maintain system stability.

Affected systems

The vulnerability affects the Linux kernel on systems equipped with Microchip PolarFire SoC devices that utilize the mpfs-ccc clock controller driver. This includes embedded boards, industrial control systems, and FPGA-based platforms running Linux. The vulnerability is present from the introduction of the driver and persists until patched. Desktop and server systems without this specific SoC hardware are not affected.

Exploitability

Exploitation requires local access with user-level privileges; no network vector is available. The vulnerability is triggered during normal clock output registration, making it possible to exploit during system boot or driver initialization. While the UBSAN report indicates the memory access occurs predictably, successful weaponization depends on kernel memory layout, ASLR settings, and adjacent data structures. A motivated local attacker with modest technical capability could craft an exploit to leak kernel data or corrupt critical structures.

Remediation

Apply the Linux kernel patch that corrects the array indexing in the mpfs-ccc driver's output registration code. Verify the patch version against your kernel branch and test thoroughly in a staging environment before production deployment. For systems where kernel updates are constrained, limiting local user access and enforcing strong authentication mitigates the attack surface.

Patch guidance

Obtain the fix from the Linux kernel repository for your distribution or kernel version. The patch modifies the output registration logic to decrement PLL output IDs by two before array insertion, bringing indices into the allocated bounds. Verify the patch against your kernel source to ensure compatibility with any local modifications. Test on a non-production PolarFire SoC system if available before rolling out across infrastructure.

Detection guidance

Monitor system logs for UBSAN warnings or kernel Oops messages originating from the mpfs-ccc driver during boot or initialization. Kernel address sanitizer (KASAN) builds will also flag the memory violation if enabled. Enable kernel debugging features in development environments to catch the issue early. On production systems, watch for unexpected kernel panics or hangs during clock initialization, which may indicate exploitation attempts.

Why prioritize this

Although the vulnerability requires local access, the combination of HIGH CVSS score (7.1), information disclosure risk, and availability impact (kernel panic) places it in the priority patch tier for affected infrastructure. Organizations with PolarFire SoC deployments should address this promptly; others can defer unless local user access is a significant threat model.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects attack complexity of Low and privilege requirement of Low (user-level local access only), with high impact on both confidentiality (memory disclosure) and availability (denial of service). The lack of network attack vector and requirement for local presence constrain the overall score from Critical, but the reliability and ease of exploitation on vulnerable systems justify the HIGH severity rating.

Frequently asked questions

Does this vulnerability affect my Linux system?

Only if your system uses a Microchip PolarFire SoC with the mpfs-ccc clock controller driver. Most desktop, laptop, server, and cloud infrastructure are unaffected. Check your hardware specifications and kernel configuration for the driver (CONFIG_COMMON_CLK_MPFS_CCC) to determine exposure.

Can this be exploited remotely?

No. The vulnerability requires local user-level access to the system. It cannot be exploited over a network or by an unauthenticated attacker.

What happens if the vulnerability is not patched?

A local attacker can read sensitive kernel memory, potentially extracting cryptographic keys or other secrets, or crash the system via kernel panic. The exact impact depends on system configuration and kernel security mitigations.

Is there a workaround if I cannot patch immediately?

Restrict local shell access to trusted users, enforce strong authentication, and disable unnecessary accounts. However, patching is the only reliable fix and should be prioritized once testing confirms compatibility with your kernel version.

This analysis is provided for informational purposes and represents a point-in-time assessment based on disclosed vulnerability data. Exploit difficulty, real-world impact, and patch availability may change as researchers and vendors publish additional findings. Organizations should conduct their own risk assessment relative to their specific infrastructure, threat model, and security posture. Always verify patch details and compatibility against official vendor advisories before deployment. SEC.co does not endorse any specific security tool or patching strategy; consult your vendor and internal security team for implementation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).