Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-50211
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udf: refactor inode_bmap() to handle error<br /> <br /> Refactor inode_bmap() to handle error since udf_next_aext() can return<br /> error now. On situations like ftruncate, udf_extend_file() can now<br /> detect errors and bail out early without resorting to checking for<br /> particular offsets and assuming internal behavior of these functions.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-7982
Publication date:
08/11/2024
The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-50208
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages<br /> <br /> Avoid memory corruption while setting up Level-2 PBL pages for the non MR<br /> resources when num_pages &gt; 256K.<br /> <br /> There will be a single PDE page address (contiguous pages in the case of &gt;<br /> PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid<br /> memory access after 256K PBL entries in the PDE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50209
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Add a check for memory allocation<br /> <br /> __alloc_pbl() can return error when memory allocation fails.<br /> Driver is not checking the status on one of the instances.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50210
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()<br /> <br /> If get_clock_desc() succeeds, it calls fget() for the clockid&amp;#39;s fd,<br /> and get the clk-&gt;rwsem read lock, so the error path should release<br /> the lock to make the lock balance and fput the clockid&amp;#39;s fd to make<br /> the refcount balance and release the fd related resource.<br /> <br /> However the below commit left the error path locked behind resulting in<br /> unbalanced locking. Check timespec64_valid_strict() before<br /> get_clock_desc() to fix it, because the "ts" is not changed<br /> after that.<br /> <br /> [pabeni@redhat.com: fixed commit message typo]
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2024-50197
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: intel: platform: fix error path in device_for_each_child_node()<br /> <br /> The device_for_each_child_node() loop requires calls to<br /> fwnode_handle_put() upon early returns to decrement the refcount of<br /> the child node and avoid leaking memory if that error path is triggered.<br /> <br /> There is one early returns within that loop in<br /> intel_platform_pinctrl_prepare_community(), but fwnode_handle_put() is<br /> missing.<br /> <br /> Instead of adding the missing call, the scoped version of the loop can<br /> be used to simplify the code and avoid mistakes in the future if new<br /> early returns are added, as the child node is only used for parsing, and<br /> it is never assigned.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50203
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, arm64: Fix address emission with tag-based KASAN enabled<br /> <br /> When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image<br /> struct on the stack is passed during the size calculation pass and<br /> an address on the heap is passed during code generation. This may<br /> cause a heap buffer overflow if the heap address is tagged because<br /> emit_a64_mov_i64() will emit longer code than it did during the size<br /> calculation pass. The same problem could occur without tag-based<br /> KASAN if one of the 16-bit words of the stack address happened to<br /> be all-ones during the size calculation pass. Fix the problem by<br /> assuming the worst case (4 instructions) when calculating the size<br /> of the bpf_tramp_image address emission.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2024-50204
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: don&amp;#39;t try and remove empty rbtree node<br /> <br /> When copying a namespace we won&amp;#39;t have added the new copy into the<br /> namespace rbtree until after the copy succeeded. Calling free_mnt_ns()<br /> will try to remove the copy from the rbtree which is invalid. Simply<br /> free the namespace skeleton directly.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50206
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init<br /> <br /> The loop responsible for allocating up to MTK_FQ_DMA_LENGTH buffers must<br /> only touch as many descriptors, otherwise it ends up corrupting unrelated<br /> memory. Fix the loop iteration count accordingly.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50191
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: don&amp;#39;t set SB_RDONLY after filesystem errors<br /> <br /> When the filesystem is mounted with errors=remount-ro, we were setting<br /> SB_RDONLY flag to stop all filesystem modifications. We knew this misses<br /> proper locking (sb-&gt;s_umount) and does not go through proper filesystem<br /> remount procedure but it has been the way this worked since early ext2<br /> days and it was good enough for catastrophic situation damage<br /> mitigation. Recently, syzbot has found a way (see link) to trigger<br /> warnings in filesystem freezing because the code got confused by<br /> SB_RDONLY changing under its hands. Since these days we set<br /> EXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all<br /> filesystem modifications, modifying SB_RDONLY shouldn&amp;#39;t be needed. So<br /> stop doing that.
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2026

CVE-2024-50192
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/gic-v4: Don&amp;#39;t allow a VMOVP on a dying VPE<br /> <br /> Kunkun Jiang reported that there is a small window of opportunity for<br /> userspace to force a change of affinity for a VPE while the VPE has already<br /> been unmapped, but the corresponding doorbell interrupt still visible in<br /> /proc/irq/.<br /> <br /> Plug the race by checking the value of vmapp_count, which tracks whether<br /> the VPE is mapped ot not, and returning an error in this case.<br /> <br /> This involves making vmapp_count common to both GICv4.1 and its v4.0<br /> ancestor.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50193
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/entry_32: Clear CPU buffers after register restore in NMI return<br /> <br /> CPU buffers are currently cleared after call to exc_nmi, but before<br /> register state is restored. This may be okay for MDS mitigation but not for<br /> RDFS. Because RDFS mitigation requires CPU buffers to be cleared when<br /> registers don&amp;#39;t have any sensitive data.<br /> <br /> Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities