Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-46148

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
28/05/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: microchip-core-qspi: control built-in cs manually<br /> <br /> The coreQSPI IP supports only a single chip select, which is<br /> automagically operated by the hardware - set low when the transmit<br /> buffer first gets written to and set high when the number of bytes<br /> written to the TOTALBYTES field of the FRAMES register have been sent on<br /> the bus. Additional devices must use GPIOs for their chip selects.<br /> It was reported to me that if there are two devices attached to this<br /> QSPI controller that the in-built chip select is set low while linux<br /> tries to access the device attached to the GPIO.<br /> <br /> This went undetected as the boards that connected multiple devices to<br /> the SPI controller all exclusively used GPIOs for chip selects, not<br /> relying on the built-in chip select at all. It turns out that this was<br /> because the built-in chip select, when controlled automagically, is set<br /> low when active and high when inactive, thereby ruling out its use for<br /> active-high devices or devices that need to transmit with the chip<br /> select disabled.<br /> <br /> Modify the driver so that it controls chip select directly, retaining<br /> the behaviour for mem_ops of setting the chip select active for the<br /> entire duration of the transfer in the exec_op callback. For regular<br /> transfers, implement the set_cs callback for the core to use.<br /> <br /> As part of this, the existing setup callback, mchp_coreqspi_setup_op(),<br /> is removed. Modifying the CLKIDLE field is not safe to do during<br /> operation when there are multiple devices, so this code is removed<br /> entirely. Setting the MASTER and ENABLE fields is something that can be<br /> done once at probe, it doesn&amp;#39;t need to be re-run for each device.<br /> Instead the new setup callback sets the built-in chip select to its<br /> inactive state for active-low devices, as the reset value of the chip<br /> select in software controlled mode is low.

Impact

References to Advisories, Solutions, and Tools