CVE-2026-46293
Received Received - Intake
Out-of-Bounds Access in Linux Kernel MPFS-CCC Clock Driver

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: clk: microchip: mpfs-ccc: fix out of bounds access during output registration UBSAN reported an out of bounds access during registration of the last two outputs. This out of bounds access occurs because space is only allocated in the hws array for two PLLs and the four output dividers that each has, but the defined IDs contain two DLLS and their two outputs each, which are not supported by the driver. The ID order is PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs by two while adding them to the array to avoid the problem.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46293
EUVD
EUVD-2026-35159
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microchip mpfs-ccc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out of bounds access issue in the Linux kernel's Microchip MPFS-CCC clock driver. It occurs during the registration of the last two outputs because the driver allocates space only for two PLLs and their four output dividers, but the defined IDs include two DLLs and their outputs, which the driver does not support. This mismatch causes the driver to access memory outside the allocated bounds.

The problem arises because the ID order includes PLLs, DLLs, PLL outputs, and DLL outputs, but the driver incorrectly handles the PLL output IDs without accounting for the DLLs, leading to the out of bounds access.

Impact Analysis

An out of bounds access vulnerability in a kernel driver can potentially lead to system instability, crashes, or unexpected behavior. It might also be exploitable to cause denial of service or, in some cases, privilege escalation if an attacker can manipulate the affected driver.

However, since this vulnerability is specific to the Microchip MPFS-CCC clock driver and involves unsupported hardware features, its impact is limited to systems using this specific driver and hardware.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart