CVE-2026-46192
Analyzed Analyzed - Analysis Complete
spi: microchip-core-qspi emulated read-only operation vulnerability

Publication date: 2026-05-28

Last updated on: 2026-06-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-11
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46192
EUVD
EUVD-2026-32819
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.17 (inc) to 6.18.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's microchip-core-qspi driver. It involves the driver attempting to transmit data during emulated read-only dual/quad SPI operations, which is unnecessary and problematic. The core should handle reads by generating clock cycles internally without transmitting any data. Transmitting garbage data during these operations can disrupt the transfer because QSPI lacks a dedicated master-out line, unlike regular SPI. This can cause the transfer to fail or become 'bricked' as the core may lose track of whether it should be sending or receiving data.

Impact Analysis

The impact of this vulnerability is that data transfers using the microchip-core-qspi driver in the Linux kernel can fail or become corrupted during read-only dual/quad SPI operations. This can lead to malfunctioning hardware communication or system instability where this driver is used, potentially causing devices relying on these transfers to not operate correctly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart