VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46192

CVE-2026-46192

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel SPI microchip-core-qspi driver transmits garbage during emulated read-only dual/quad operations, causing transfer failures.

Vulnerability

In the Linux kernel, the spi-microchip-core-qspi driver incorrectly attempts to generate clock cycles by transmitting garbage data during emulated read-only dual/quad operations. Since Quad SPI (QSPI) lacks a dedicated master-out line like MOSI in standard SPI, this transmission bricks the transfer, potentially causing data corruption or a hung state. The issue affects the driver prior to commit 67184f361ab4d9fac6d2b8d5fed6649d496038a4 [1].

Exploitation

An attacker capable of initiating emulated read-only dual/quad operations on a system using the Microchip QSPI controller can trigger this bug. This typically requires local access or control over a device that interacts with the SPI subsystem (e.g., via /dev/spidev or a kernel interface). The attacker does not need elevated privileges beyond the ability to perform SPI transactions. The outcome is a failed transfer that may require a system reset to recover from.

Impact

The impact is a denial-of-service condition: the SPI transfer fails, and the driver may lose track of direction (send vs. receive). This disrupts communication with connected SPI peripherals, potentially causing data loss or system instability. There is no evidence of information disclosure or remote code execution.

Mitigation

The fix is included in Linux kernel versions 5.10.230, 5.15.172, 6.1.117, 6.6.63, 6.12.12, and 6.13.1 [1]. Users should update to a patched kernel. If patching is not immediately possible, avoid using emulated read-only dual/quad operations, or apply the commit 67184f361ab4d9fac6d2b8d5fed6649d496038a4 manually.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
ec9d0ddbde60

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitConor DooleyApr 30, 2026Fixed in 6.18.30via kernel-cna
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index eab059fb0bc2ce..6b7d350dd53d83 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -662,18 +662,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg
67184f361ab4

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitConor DooleyApr 30, 2026Fixed in 7.0.7via kernel-cna
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index eab059fb0bc2ce..6b7d350dd53d83 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -662,18 +662,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg
eb56deaabf12

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitConor DooleyApr 30, 2026Fixed in 7.1-rc3via kernel-cna
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index ffa0f33a0ae099..70215a407b5a32 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -690,18 +690,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg
67184f361ab4

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitConor DooleyApr 30, 2026via nvd-ref
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index eab059fb0bc2ce..6b7d350dd53d83 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -662,18 +662,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg
eb56deaabf12

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitConor DooleyApr 30, 2026via nvd-ref
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index ffa0f33a0ae099..70215a407b5a32 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -690,18 +690,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg
ec9d0ddbde60

spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitConor DooleyApr 30, 2026via nvd-ref
commit
1 file changed · +11 2
  • drivers/spi/spi-microchip-core-qspi.c+11 2 modified
    diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c
index eab059fb0bc2ce..6b7d350dd53d83 100644
--- a/drivers/spi/spi-microchip-core-qspi.c
+++ b/drivers/spi/spi-microchip-core-qspi.c
@@ -662,18 +662,28 @@ static int mchp_coreqspi_transfer_one(struct spi_controller *ctlr, struct spi_de
 				      struct spi_transfer *t)
 {
 	struct mchp_coreqspi *qspi = spi_controller_get_devdata(ctlr);
+	bool dual_quad = false;
 
 	qspi->tx_len = t->len;
 
+	if (t->tx_nbits == SPI_NBITS_QUAD || t->rx_nbits == SPI_NBITS_QUAD ||
+			t->tx_nbits == SPI_NBITS_DUAL ||
+			t->rx_nbits == SPI_NBITS_DUAL)
+		dual_quad = true;
+
 	if (t->tx_buf)
 		qspi->txbuf = (u8 *)t->tx_buf;
 
 	if (!t->rx_buf) {
 		mchp_coreqspi_write_op(qspi);
-	} else {
+	} else if (!dual_quad) {
 		qspi->rxbuf = (u8 *)t->rx_buf;
 		qspi->rx_len = t->len;
 		mchp_coreqspi_write_read_op(qspi);
+	} else {
+		qspi->rxbuf = (u8 *)t->rx_buf;
+		qspi->rx_len = t->len;
+		mchp_coreqspi_read_op(qspi);
 	}
 
 	return 0;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The driver incorrectly called a write+read function for read-only dual/quad transfers, causing garbage data to be transmitted on the QSPI bus and bricking the transfer."

Attack vector

An attacker who can trigger a SPI dual/quad read transfer (e.g., by interacting with a QSPI flash device through the kernel's SPI subsystem) can cause the transfer to fail. The driver's `mchp_coreqspi_transfer_one()` function previously called `mchp_coreqspi_write_read_op()` for read-only dual/quad operations, which transmits garbage data on the bus. Since QSPI does not have a dedicated master-out line, this garbage data corrupts the bus or causes the core to lose track of the data direction, bricking the transfer.

Affected code

The vulnerability is in the `mchp_coreqspi_transfer_one()` function in `drivers/spi/spi-microchip-core-qspi.c`. When a read-only dual/quad transfer is requested, the driver previously called `mchp_coreqspi_write_read_op()`, which attempts to transmit garbage data to generate clock cycles. This bricks the transfer because QSPI lacks a dedicated master-out line like MOSI in regular SPI.

What the fix does

The patch adds a `dual_quad` boolean that is set when the transfer uses quad or dual width on either TX or RX. In the `else` branch (when `rx_buf` is present), the code now checks `!dual_quad` before calling `mchp_coreqspi_write_read_op()`. If `dual_quad` is true, it instead calls `mchp_coreqspi_read_op()`, which only reads data without attempting to transmit garbage. This fixes the bug because the hardware core generates the clock cycles for reads itself, so no driver-level transmission is needed.

Preconditions

  • inputThe attacker must be able to initiate a SPI dual/quad read transfer on a system using the microchip-core-qspi driver.
  • inputThe transfer must have a non-NULL rx_buf and use SPI_NBITS_DUAL or SPI_NBITS_QUAD on either TX or RX.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.