CVE-2026-46203 Linux CVE debrief

Who should care

Organizations running Linux on embedded systems or hardware utilizing Cadence QSPI controllers, particularly those with hot-pluggable or dynamically bound SPI devices. Relevant for IoT device manufacturers, industrial control systems, and embedded Linux distributions.

Technical summary

The Cadence Quad SPI driver in the Linux kernel failed to ensure the controller was runtime resumed before disabling it during driver unbind. This created a window where register accesses could occur without proper clocking, constituting an unclocked access vulnerability. The fix adds proper runtime resume synchronization before controller disablement.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor vendor security advisories for kernel package updates
• Review systems using Cadence QSPI controllers for stability concerns during driver unload operations
• Validate runtime power management behavior in embedded/IoT deployments using this driver

Evidence notes

The vulnerability was identified during review of a controller deregistration fix by Sashiko. The resolution involves ensuring the controller is runtime resumed before disabling it during driver unbind to prevent unclocked register access. Two kernel commits address this issue for stable kernel branches.

Official resources