PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46148 Linux CVE debrief

A vulnerability in the Linux kernel's Microchip CoreQSPI driver could cause incorrect chip select signaling when multiple SPI devices are attached to the controller. The hardware-automated chip select would activate during transfers to GPIO-controlled devices, potentially causing data corruption or unintended device operations. The fix implements manual software control of the built-in chip select and removes unsafe runtime configuration changes.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running embedded Linux systems with Microchip CoreQSPI controllers and multiple SPI devices, particularly industrial control systems, IoT devices, and embedded platforms using Microchip FPGA or SoC solutions with this IP core.

Technical summary

The Microchip CoreQSPI IP provides a single hardware-controlled chip select that automatically activates when the transmit buffer is written and deactivates after the configured byte count is transferred. When multiple SPI devices are attached—with some using the built-in chip select and others using GPIO chip selects—the hardware-automated select could activate during transfers to GPIO-controlled devices. This occurred because the driver previously relied on hardware automation without software override capability. The vulnerability also prevented use of the built-in chip select for active-high devices or devices requiring chip-select-disabled transmission modes. The resolution implements manual software control via the set_cs callback for regular transfers and direct control in the exec_op callback for memory operations, while removing the unsafe mchp_coreqspi_setup_op() callback that modified CLKIDLE during operation.

Defensive priority

medium

Recommended defensive actions

  • Review systems using the Microchip CoreQSPI controller with multiple attached SPI devices
  • Verify kernel version includes the fix commits for CVE-2026-46148
  • For systems unable to patch immediately, consider using GPIO chip selects exclusively for all devices on affected controllers
  • Monitor SPI device communications for unexpected chip select assertions
  • Test SPI device operations after kernel updates to ensure proper chip select behavior

Evidence notes

The vulnerability description indicates this issue was reported to the maintainer and affects systems with multiple SPI devices on the Microchip CoreQSPI controller. The fix was committed to the Linux kernel stable branches. No CVSS score has been assigned as of the CVE publication date.

Official resources

2026-05-28