CVE-2026-46293
Description
Linux kernel clk driver has an out-of-bounds access vulnerability during output registration, potentially leading to crashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel clk driver has an out-of-bounds access vulnerability during output registration, potentially leading to crashes.
Vulnerability
The Linux kernel's drivers/clk/microchip/mpfs-ccc.c driver has an out-of-bounds access vulnerability. This occurs because the hws array is allocated for two PLLs and their four output dividers each, but the defined IDs include two DLLs and their two outputs each, which are not supported. The vulnerability is triggered during the registration of the last two outputs when the ID order (PLLs -> DLLs -> PLL outputs -> DLL outputs) causes an out-of-bounds write. This issue affects versions prior to the fix.
Exploitation
An attacker with the ability to trigger the output registration process within the mpfs-ccc driver could exploit this vulnerability. The vulnerability is triggered by the specific ordering of device IDs, where PLL output IDs are decremented by two when added to the array, leading to an out-of-bounds access when processing unsupported DLL outputs.
Impact
Successful exploitation of this out-of-bounds access vulnerability can lead to a kernel crash or system instability. Depending on the specific kernel configuration and hardware, it might also lead to unintended memory corruption, though further details on specific information disclosure or arbitrary code execution are not provided in the available references.
Mitigation
The vulnerability has been resolved by decrementing the PLL output IDs by two when adding them to the array, preventing the out-of-bounds access. The fix is available in the Linux kernel via the commit a0780aeea166a7cf4706c45af4cadbb2a43a1fc9 [1]. Users should update to a kernel version containing this fix. No workarounds are described, and the EOL status or KEV listing is not yet disclosed in the available references.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
12f24efd415455clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
dbfcb09656cbclk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
9ed9b580a814clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 0ddc73e07be42..df4ce3232754c 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
47bc7a03449cclk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index bce61c45e9674..9ed8074a9ee8a 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
a0780aeea166clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
2f7ae8ab6aa7clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
a0780aeea166clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
47bc7a03449cclk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index bce61c45e9674..9ed8074a9ee8a 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
9ed9b580a814clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 0ddc73e07be42..df4ce3232754c 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
2f7ae8ab6aa7clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
f24efd415455clk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
dbfcb09656cbclk: microchip: mpfs-ccc: fix out of bounds access during output registration
1 file changed · +5 −2
drivers/clk/microchip/clk-mpfs-ccc.c+5 −2 modifieddiff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c index 3a3ea2d142f8a..0a76a1aaa50f7 100644 --- a/drivers/clk/microchip/clk-mpfs-ccc.c +++ b/drivers/clk/microchip/clk-mpfs-ccc.c @@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(struct device *dev, struct mpfs_ccc_out_hw_ return dev_err_probe(dev, ret, "failed to register clock id: %d\n", out_hw->id); - data->hw_data.hws[out_hw->id] = &out_hw->divider.hw; + data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw; } return 0; @@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platform_device *pdev) unsigned int num_clks; int ret; + /* + * If DLLs get added here, mpfs_ccc_register_outputs() currently packs + * sparse clock IDs in the hws array + */ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) + ARRAY_SIZE(mpfs_ccc_pll1out_clks); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The driver incorrectly maps clock output IDs to the hws array, leading to an out-of-bounds write."
Attack vector
An attacker can trigger this vulnerability by registering the last two outputs of the clock driver. This occurs during the registration process where the driver attempts to store hardware data for these outputs. The issue arises because the allocated space in the 'hws' array is insufficient for the defined IDs, specifically when dealing with DLLs and their outputs which are not fully supported by the driver's current allocation strategy [patch_id=5239547].
Affected code
The vulnerability resides in the `mpfs_ccc_register_outputs` function within the `drivers/clk/microchip/clk-mpfs-ccc.c` file. Specifically, the line `data->hw_data.hws[out_hw->id] = &out_hw->divider.hw;` is modified to `data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw;` [patch_id=5239547]. This change directly addresses how the output hardware data is indexed into the `hws` array.
What the fix does
The patch corrects the out-of-bounds access by decrementing the PLL output IDs by two before adding them to the 'hws' array [patch_id=5239547]. This adjustment ensures that the hardware data for the output dividers is stored at the correct index within the allocated space, preventing the overflow. The commit message indicates that this change resolves an issue reported by UBSAN during the registration of the last two outputs.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/2f7ae8ab6aa73daaf080d5332110357c29df9c36nvd
- git.kernel.org/stable/c/47bc7a03449c39805bc2665d3e57c73195d5bcf8nvd
- git.kernel.org/stable/c/9ed9b580a814773482c0a4f1be045636e68cc109nvd
- git.kernel.org/stable/c/a0780aeea166a7cf4706c45af4cadbb2a43a1fc9nvd
- git.kernel.org/stable/c/dbfcb09656cb30439577325c9dea2250203c2e3cnvd
- git.kernel.org/stable/c/f24efd415455b98a1f1cfc6071fe6fde71986706nvd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026