{"api_version":"1","generated_at":"2026-05-29T19:44:47+00:00","cve":"CVE-2026-46148","urls":{"html":"https://cve.report/CVE-2026-46148","api":"https://cve.report/api/cve/CVE-2026-46148.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46148","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46148"},"summary":{"title":"spi: microchip-core-qspi: control built-in cs manually","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: control built-in cs manually\n\nThe coreQSPI IP supports only a single chip select, which is\nautomagically operated by the hardware - set low when the transmit\nbuffer first gets written to and set high when the number of bytes\nwritten to the TOTALBYTES field of the FRAMES register have been sent on\nthe bus. Additional devices must use GPIOs for their chip selects.\nIt was reported to me that if there are two devices attached to this\nQSPI controller that the in-built chip select is set low while linux\ntries to access the device attached to the GPIO.\n\nThis went undetected as the boards that connected multiple devices to\nthe SPI controller all exclusively used GPIOs for chip selects, not\nrelying on the built-in chip select at all. It turns out that this was\nbecause the built-in chip select, when controlled automagically, is set\nlow when active and high when inactive, thereby ruling out its use for\nactive-high devices or devices that need to transmit with the chip\nselect disabled.\n\nModify the driver so that it controls chip select directly, retaining\nthe behaviour for mem_ops of setting the chip select active for the\nentire duration of the transfer in the exec_op callback. For regular\ntransfers, implement the set_cs callback for the core to use.\n\nAs part of this, the existing setup callback, mchp_coreqspi_setup_op(),\nis removed. Modifying the CLKIDLE field is not safe to do during\noperation when there are multiple devices, so this code is removed\nentirely. Setting the MASTER and ENABLE fields is something that can be\ndone once at probe, it doesn't need to be re-run for each device.\nInstead the new setup callback sets the built-in chip select to its\ninactive state for active-low devices, as the reset value of the chip\nselect in software controlled mode is low.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:30","updated_at":"2026-05-28 13:44:01"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307","name":"https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf","name":"https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911","name":"https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46148","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46148","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8596124c4c1bc7561454cee0463c16eca70b5d25 998f43196d732f20f9b71eb6ebd973736c9fa911 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8596124c4c1bc7561454cee0463c16eca70b5d25 ee3c99aa102212ad59dc2c19595515c4a6729307 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8596124c4c1bc7561454cee0463c16eca70b5d25 7672749e1496215e8683ce57cf323119033954cf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.30 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc3 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46148","cve":"CVE-2026-46148","epss":"0.000170000","percentile":"0.043220000","score_date":"2026-05-28","updated_at":"2026-05-29 00:13:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/spi/spi-microchip-core-qspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"998f43196d732f20f9b71eb6ebd973736c9fa911","status":"affected","version":"8596124c4c1bc7561454cee0463c16eca70b5d25","versionType":"git"},{"lessThan":"ee3c99aa102212ad59dc2c19595515c4a6729307","status":"affected","version":"8596124c4c1bc7561454cee0463c16eca70b5d25","versionType":"git"},{"lessThan":"7672749e1496215e8683ce57cf323119033954cf","status":"affected","version":"8596124c4c1bc7561454cee0463c16eca70b5d25","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/spi/spi-microchip-core-qspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.1"},{"lessThan":"6.1","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.30","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc3","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.30","versionStartIncluding":"6.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"6.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc3","versionStartIncluding":"6.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: control built-in cs manually\n\nThe coreQSPI IP supports only a single chip select, which is\nautomagically operated by the hardware - set low when the transmit\nbuffer first gets written to and set high when the number of bytes\nwritten to the TOTALBYTES field of the FRAMES register have been sent on\nthe bus. Additional devices must use GPIOs for their chip selects.\nIt was reported to me that if there are two devices attached to this\nQSPI controller that the in-built chip select is set low while linux\ntries to access the device attached to the GPIO.\n\nThis went undetected as the boards that connected multiple devices to\nthe SPI controller all exclusively used GPIOs for chip selects, not\nrelying on the built-in chip select at all. It turns out that this was\nbecause the built-in chip select, when controlled automagically, is set\nlow when active and high when inactive, thereby ruling out its use for\nactive-high devices or devices that need to transmit with the chip\nselect disabled.\n\nModify the driver so that it controls chip select directly, retaining\nthe behaviour for mem_ops of setting the chip select active for the\nentire duration of the transfer in the exec_op callback. For regular\ntransfers, implement the set_cs callback for the core to use.\n\nAs part of this, the existing setup callback, mchp_coreqspi_setup_op(),\nis removed. Modifying the CLKIDLE field is not safe to do during\noperation when there are multiple devices, so this code is removed\nentirely. Setting the MASTER and ENABLE fields is something that can be\ndone once at probe, it doesn't need to be re-run for each device.\nInstead the new setup callback sets the built-in chip select to its\ninactive state for active-low devices, as the reset value of the chip\nselect in software controlled mode is low."}],"providerMetadata":{"dateUpdated":"2026-05-28T09:36:04.805Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911"},{"url":"https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307"},{"url":"https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf"}],"title":"spi: microchip-core-qspi: control built-in cs manually","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46148","datePublished":"2026-05-28T09:36:04.805Z","dateReserved":"2026-05-13T15:03:33.101Z","dateUpdated":"2026-05-28T09:36:04.805Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:30","lastModifiedDate":"2026-05-28 13:44:01","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46148","Ordinal":"1","Title":"spi: microchip-core-qspi: control built-in cs manually","CVE":"CVE-2026-46148","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46148","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: control built-in cs manually\n\nThe coreQSPI IP supports only a single chip select, which is\nautomagically operated by the hardware - set low when the transmit\nbuffer first gets written to and set high when the number of bytes\nwritten to the TOTALBYTES field of the FRAMES register have been sent on\nthe bus. Additional devices must use GPIOs for their chip selects.\nIt was reported to me that if there are two devices attached to this\nQSPI controller that the in-built chip select is set low while linux\ntries to access the device attached to the GPIO.\n\nThis went undetected as the boards that connected multiple devices to\nthe SPI controller all exclusively used GPIOs for chip selects, not\nrelying on the built-in chip select at all. It turns out that this was\nbecause the built-in chip select, when controlled automagically, is set\nlow when active and high when inactive, thereby ruling out its use for\nactive-high devices or devices that need to transmit with the chip\nselect disabled.\n\nModify the driver so that it controls chip select directly, retaining\nthe behaviour for mem_ops of setting the chip select active for the\nentire duration of the transfer in the exec_op callback. For regular\ntransfers, implement the set_cs callback for the core to use.\n\nAs part of this, the existing setup callback, mchp_coreqspi_setup_op(),\nis removed. Modifying the CLKIDLE field is not safe to do during\noperation when there are multiple devices, so this code is removed\nentirely. Setting the MASTER and ENABLE fields is something that can be\ndone once at probe, it doesn't need to be re-run for each device.\nInstead the new setup callback sets the built-in chip select to its\ninactive state for active-low devices, as the reset value of the chip\nselect in software controlled mode is low.","Type":"Description","Title":"spi: microchip-core-qspi: control built-in cs manually"}]}}}