CVE-2026-46293 Overview
CVE-2026-46293 is an out-of-bounds access vulnerability in the Linux kernel's Microchip PolarFire SoC Clock Conditioning Circuitry (MPFS CCC) driver located at clk/microchip/mpfs-ccc. The Undefined Behavior Sanitizer (UBSAN) reported the issue during registration of the last two clock outputs. The driver allocates space in the hws array for two PLLs and their four output dividers, but the defined IDs also include two DLLs and their outputs, which the driver does not support.
Critical Impact
The out-of-bounds write occurs in kernel space during clock controller initialization on Microchip PolarFire SoC platforms, potentially corrupting adjacent kernel memory.
Affected Products
- Linux kernel containing the clk-mpfs-ccc driver
- Microchip PolarFire SoC platforms using the Clock Conditioning Circuitry block
- Stable kernel branches referenced in the upstream fix commits
Discovery Timeline
- 2026-06-08 - CVE-2026-46293 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46293
Vulnerability Analysis
The MPFS CCC driver registers clock outputs through the common clock framework using a fixed-size hws array. The driver sizes this array to hold entries for two Phase-Locked Loops (PLLs) and the four output dividers belonging to each PLL. The device tree binding identifiers, however, follow the order PLLs, then Delay-Locked Loops (DLLs), then PLL outputs, then DLL outputs. When the driver iterates over PLL output IDs and writes to hws[id], those identifiers exceed the allocated bounds because they assume DLL entries also exist.
UBSAN detected the resulting out-of-bounds write during normal driver probe. The fix decrements PLL output identifiers by two before indexing into the hws array, compensating for the absent DLL slots. The vulnerability is constrained to the kernel boot path on platforms that instantiate the MPFS CCC clock controller.
Root Cause
The defect is an indexing mismatch between the device tree ID scheme and the driver's allocation strategy. The hardware definitions reserve identifiers for DLLs that the driver does not register, leaving gaps in the expected indices. Writing PLL output handles at their raw IDs overruns the hws array. This is a kernel-space out-of-bounds write [CWE-787] triggered during clock provider registration.
Attack Vector
The code path executes during kernel initialization on affected Microchip PolarFire SoC hardware. The condition is not reachable through unprivileged user input or network traffic. Exploitation requires either physical access to vulnerable hardware or a malicious device tree overlay loaded with root privileges. Practical impact is limited to memory corruption or boot instability on the affected SoC family.
No synthesized exploit code is provided; the issue is a memory-safety regression in a hardware-specific clock driver. Refer to the Kernel Git Commit dbfcb09 for the corrective patch.
Detection Methods for CVE-2026-46293
Indicators of Compromise
- UBSAN warnings in dmesg referencing mpfs-ccc or array index out of bounds during clock driver probe
- Kernel boot failures or clock subsystem initialization errors on Microchip PolarFire SoC devices
- Unexpected kernel panics or memory corruption traces originating from clk_hw_register calls in the MPFS CCC code path
Detection Strategies
- Audit installed kernel versions on PolarFire SoC fleets and compare against the patched stable branches listed in the upstream commits
- Enable CONFIG_UBSAN on test systems to surface the out-of-bounds access at boot before deployment
- Review device tree configurations for MPFS CCC nodes and validate the kernel in use includes the index offset fix
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized log platform and alert on UBSAN reports tied to clock drivers
- Track Linux kernel package versions across embedded device inventories and flag unpatched builds
- Monitor PolarFire SoC platforms for unexpected reboots or clock-related failure modes that could indicate the underlying defect
How to Mitigate CVE-2026-46293
Immediate Actions Required
- Update the Linux kernel on Microchip PolarFire SoC systems to a stable release that incorporates the MPFS CCC fix
- Restrict physical and administrative access to affected embedded platforms to prevent malicious device tree modifications
- Rebuild custom kernels from a source tree that includes the upstream patch before redeploying images
Patch Information
The fix decrements PLL output IDs by two when inserting them into the hws array, aligning indices with the actual allocation size. The corrective change is available across multiple stable branches in the following commits: Kernel Git Commit 2f7ae8a, Kernel Git Commit 47bc7a0, Kernel Git Commit 9ed9b58, Kernel Git Commit a0780ae, Kernel Git Commit dbfcb09, and Kernel Git Commit f24efd4.
Workarounds
- Disable the CONFIG_MPFS_CCC driver in kernel builds if the affected clock controller is not required for the target deployment
- Avoid loading untrusted device tree overlays that reference MPFS CCC clock IDs on unpatched kernels
- Pin device fleets to known-good kernel images and stage updates through controlled rollouts until the patch is validated
# Verify the running kernel and check for the MPFS CCC driver module
uname -r
grep -i mpfs /proc/config.gz 2>/dev/null || zcat /proc/config.gz | grep MPFS_CCC
dmesg | grep -i -E 'ubsan|mpfs-ccc'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
