Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-57944
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ti-ads1298: Add NULL check in ads1298_init<br /> <br /> devm_kasprintf() can return a NULL pointer on failure. A check on the<br /> return value of such a call in ads1298_init() is missing. Add it.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-57940
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix the infinite loop in exfat_readdir()<br /> <br /> If the file system is corrupted so that a cluster is linked to<br /> itself in the cluster chain, and there is an unused directory<br /> entry in the cluster, &amp;#39;dentry&amp;#39; will not be incremented, causing<br /> condition &amp;#39;dentry
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-57939
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Fix sleeping in invalid context in die()<br /> <br /> die() can be called in exception handler, and therefore cannot sleep.<br /> However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.<br /> That causes the following warning:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex<br /> preempt_count: 110001, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234<br /> Hardware name: riscv-virtio,qemu (DT)<br /> Call Trace:<br /> dump_backtrace+0x1c/0x24<br /> show_stack+0x2c/0x38<br /> dump_stack_lvl+0x5a/0x72<br /> dump_stack+0x14/0x1c<br /> __might_resched+0x130/0x13a<br /> rt_spin_lock+0x2a/0x5c<br /> die+0x24/0x112<br /> do_trap_insn_illegal+0xa0/0xea<br /> _new_vmalloc_restore_context_a0+0xcc/0xd8<br /> Oops - illegal instruction [#1]<br /> <br /> Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT<br /> enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-57934
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fgraph: Add READ_ONCE() when accessing fgraph_array[]<br /> <br /> In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[]<br /> elements, which are fgraph_ops. The loop checks if an element is a<br /> fgraph_stub to prevent using a fgraph_stub afterward.<br /> <br /> However, if the compiler reloads fgraph_array[] after this check, it might<br /> race with an update to fgraph_array[] that introduces a fgraph_stub. This<br /> could result in the stub being processed, but the stub contains a null<br /> "func_hash" field, leading to a NULL pointer dereference.<br /> <br /> To ensure that the gops compared against the fgraph_stub matches the gops<br /> processed later, add a READ_ONCE(). A similar patch appears in commit<br /> 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]").
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-57935
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hns: Fix accessing invalid dip_ctx during destroying QP<br /> <br /> If it fails to modify QP to RTR, dip_ctx will not be attached. And<br /> during detroying QP, the invalid dip_ctx pointer will be accessed.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2024-57936
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix max SGEs for the Work Request<br /> <br /> Gen P7 supports up to 13 SGEs for now. WQE software structure<br /> can hold only 6 now. Since the max send sge is reported as<br /> 13, the stack can give requests up to 13 SGEs. This is causing<br /> traffic failures and system crashes.<br /> <br /> Use the define for max SGE supported for variable size. This<br /> will work for both static and variable WQEs.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2024-57937
Publication date:
21/01/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2024-57938
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sctp: Prevent autoclose integer overflow in sctp_association_init()<br /> <br /> While by default max_autoclose equals to INT_MAX / HZ, one may set<br /> net.sctp.max_autoclose to UINT_MAX. There is code in<br /> sctp_association_init() that can consequently trigger overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-0614
Publication date:
21/01/2025
Input validation vulnerability in Qualifio&amp;#39;s Wheel of Fortune. This vulnerability could allow an attacker to modify a single email to contain upper and lower case characters in order to access the application and win prizes as many times as wanted.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-0615
Publication date:
21/01/2025
Input validation vulnerability in Qualifio&amp;#39;s Wheel of Fortune. This vulnerability allows an attacker to modify an email to contain the ‘+’ symbol to access the application and win prizes as many times as wanted.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-57932
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: guard XDP xmit NDO on existence of xdp queues<br /> <br /> In GVE, dedicated XDP queues only exist when an XDP program is installed<br /> and the interface is up. As such, the NDO XDP XMIT callback should<br /> return early if either of these conditions are false.<br /> <br /> In the case of no loaded XDP program, priv-&gt;num_xdp_queues=0 which can<br /> cause a divide-by-zero error, and in the case of interface down,<br /> num_xdp_queues remains untouched to persist XDP queue count for the next<br /> interface up, but the TX pointer itself would be NULL.<br /> <br /> The XDP xmit callback also needs to synchronize with a device<br /> transitioning from open to close. This synchronization will happen via<br /> the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,<br /> which waits for any RCU critical sections at call-time to complete.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2024-57933
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: guard XSK operations on the existence of queues<br /> <br /> This patch predicates the enabling and disabling of XSK pools on the<br /> existence of queues. As it stands, if the interface is down, disabling<br /> or enabling XSK pools would result in a crash, as the RX queue pointer<br /> would be NULL. XSK pool registration will occur as part of the next<br /> interface up.<br /> <br /> Similarly, xsk_wakeup needs be guarded against queues disappearing<br /> while the function is executing, so a check against the<br /> GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the<br /> disabling of the bit and the synchronize_net() in gve_turndown.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025
Subscribe to Vulnerabilities