Description
In the Linux kernel, the following vulnerability has been resolved:

spi: microchip-core-qspi: control built-in cs manually

The coreQSPI IP supports only a single chip select, which is
automagically operated by the hardware - set low when the transmit
buffer first gets written to and set high when the number of bytes
written to the TOTALBYTES field of the FRAMES register have been sent on
the bus. Additional devices must use GPIOs for their chip selects.
It was reported to me that if there are two devices attached to this
QSPI controller that the in-built chip select is set low while linux
tries to access the device attached to the GPIO.

This went undetected as the boards that connected multiple devices to
the SPI controller all exclusively used GPIOs for chip selects, not
relying on the built-in chip select at all. It turns out that this was
because the built-in chip select, when controlled automagically, is set
low when active and high when inactive, thereby ruling out its use for
active-high devices or devices that need to transmit with the chip
select disabled.

Modify the driver so that it controls chip select directly, retaining
the behaviour for mem_ops of setting the chip select active for the
entire duration of the transfer in the exec_op callback. For regular
transfers, implement the set_cs callback for the core to use.

As part of this, the existing setup callback, mchp_coreqspi_setup_op(),
is removed. Modifying the CLKIDLE field is not safe to do during
operation when there are multiple devices, so this code is removed
entirely. Setting the MASTER and ENABLE fields is something that can be
done once at probe, it doesn't need to be re-run for each device.
Instead the new setup callback sets the built-in chip select to its
inactive state for active-low devices, as the reset value of the chip
select in software controlled mode is low.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the microchip-core-qspi driver of the Linux kernel. The hardware automatically drives the built‑in chip select low when a transfer begins and high when all bytes are sent. When two devices are attached—one using the built‑in chip select and the other controlled by a GPIO—the driver may keep the built‑in chip select active while accessing the GPIO device, causing the wrong device to be addressed. This leads to data corruption, incorrect configuration, or a denial of service for the intended device. The flaw represents a control flow error that could be exploited by components that run after boot and can influence peripheral configuration; it is classified as CWE‑372, a misuse of conditional logic that results in improper chip‑select control.

Affected Systems

All Linux kernels that load the microchip-core-qspi driver and connect multiple SPI devices to the same controller are impacted. Systems that rely on the built‑in chip select for active‑low operation or use GPIOs for other devices are especially susceptible. Boards that previously avoided the built‑in chip select may still be at risk if the driver is updated or new SPI devices are introduced.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low but non-zero exploitation probability. The CVSS score of 5.5 denotes a medium severity that can lead to data integrity or availability issues on the SPI bus. The vulnerability is not listed in the CISA KEV catalog and no public exploit is known. The likely attack vector is local: an adversary would need the ability to modify the device tree or alter the driver’s configuration. Because the issue affects only the sequencing of chip‑select signals, the impact is limited to data integrity or availability on the SPI bus rather than full system compromise.

Generated by OpenCVE AI on June 10, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements manual chip‑select control in the microchip-core‑qspi driver, thereby fixing the CWE‑372 flaw identified in the driver.
  • Reconfigure all SPI devices on the controller to use GPIO‑based chip selects and disable reliance on the built‑in chip select when multiple devices are present, mitigating the misuse of conditional logic (CWE‑372).
  • For active‑high devices, ensure the controller operates in software‑controlled mode and leave the chip select inactive (low) during operation, or avoid using the controller’s built‑in chip select altogether.

Generated by OpenCVE AI on June 10, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: control built-in cs manually The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO. This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled. Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use. As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.
Title spi: microchip-core-qspi: control built-in cs manually
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:05.988Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46148

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:30.410

Modified: 2026-06-10T21:18:13.540

Link: CVE-2026-46148

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46148 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses