CVE-2026-46192 Linux CVE debrief

Who should care

Organizations running Linux systems with Microchip QSPI hardware, embedded systems manufacturers, industrial control system operators, and kernel maintainers responsible for SPI/QSPI subsystem stability

Technical summary

The Microchip Core QSPI driver in the Linux kernel contained a logic error where it attempted to transmit garbage data during emulated read-only dual/quad SPI operations to generate clock cycles. However, the QSPI core already handles read operations by creating clock cycles internally. This redundant transmission is problematic because QSPI does not have a dedicated master-out line (unlike MOSI in standard SPI), causing transfer corruption. The exact failure mechanism—whether from bus contamination or core state desynchronization—is not fully characterized. The fix removes this spurious transmission behavior, allowing the core to properly manage read-only operations.

Defensive priority

medium

Recommended defensive actions

• Review Linux kernel configurations for systems using Microchip Core QSPI driver
• Apply kernel patches from stable tree commits when available for your distribution
• Monitor vendor security advisories for kernel updates addressing this issue
• Verify SPI/QSPI device functionality after kernel updates on affected systems

Evidence notes

The vulnerability description is derived from the official CVE record and kernel commit messages. The fix involves three commits to the Linux kernel stable tree addressing the spi: microchip-core-qspi driver. No CVSS score has been assigned as of the CVE publication date.

Official resources