Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-38541

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()<br /> <br /> devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()<br /> does not check for this case, which results in a NULL pointer<br /> dereference.<br /> <br /> Add NULL check after devm_kasprintf() to prevent this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38537

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: Don&amp;#39;t register LEDs for genphy<br /> <br /> If a PHY has no driver, the genphy driver is probed/removed directly in<br /> phy_attach/detach. If the PHY&amp;#39;s ofnode has an "leds" subnode, then the<br /> LEDs will be (un)registered when probing/removing the genphy driver.<br /> This could occur if the leds are for a non-generic driver that isn&amp;#39;t<br /> loaded for whatever reason. Synchronously removing the PHY device in<br /> phy_detach leads to the following deadlock:<br /> <br /> rtnl_lock()<br /> ndo_close()<br /> ...<br /> phy_detach()<br /> phy_remove()<br /> phy_leds_unregister()<br /> led_classdev_unregister()<br /> led_trigger_set()<br /> netdev_trigger_deactivate()<br /> unregister_netdevice_notifier()<br /> rtnl_lock()<br /> <br /> There is a corresponding deadlock on the open/register side of things<br /> (and that one is reported by lockdep), but it requires a race while this<br /> one is deterministic.<br /> <br /> Generic PHYs do not support LEDs anyway, so don&amp;#39;t bother registering<br /> them.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38526

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: add NULL check in eswitch lag check<br /> <br /> The function ice_lag_is_switchdev_running() is being called from outside of<br /> the LAG event handler code. This results in the lag-&gt;upper_netdev being<br /> NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a<br /> check before it is dereferenced.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38527

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix use-after-free in cifs_oplock_break<br /> <br /> A race condition can occur in cifs_oplock_break() leading to a<br /> use-after-free of the cinode structure when unmounting:<br /> <br /> cifs_oplock_break()<br /> _cifsFileInfo_put(cfile)<br /> cifsFileInfo_put_final()<br /> cifs_sb_deactive()<br /> [last ref, start releasing sb]<br /> kill_sb()<br /> kill_anon_super()<br /> generic_shutdown_super()<br /> evict_inodes()<br /> dispose_list()<br /> evict()<br /> destroy_inode()<br /> call_rcu(&amp;inode-&gt;i_rcu, i_callback)<br /> spin_lock(&amp;cinode-&gt;open_file_lock) open_file_lock)
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38528

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Reject %p% format string in bprintf-like helpers<br /> <br /> static const char fmt[] = "%p%";<br /> bpf_trace_printk(fmt, sizeof(fmt));<br /> <br /> The above BPF program isn&amp;#39;t rejected and causes a kernel warning at<br /> runtime:<br /> <br /> Please remove unsupported %\x00 in format string<br /> WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0<br /> <br /> This happens because bpf_bprintf_prepare skips over the second %,<br /> detected as punctuation, while processing %p. This patch fixes it by<br /> not skipping over punctuation. %\x00 is then processed in the next<br /> iteration and rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38529

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: aio_iiro_16: Fix bit shift out of bounds<br /> <br /> When checking for a supported IRQ number, the following test is used:<br /> <br /> if ((1 options[i]` is an unchecked `int` value from userspace, so<br /> the shift amount could be negative or out of bounds. Fix the test by<br /> requiring `it-&gt;options[1]` to be within bounds before proceeding with<br /> the original test. Valid `it-&gt;options[1]` values that select the IRQ<br /> will be in the range [1,15]. The value 0 explicitly disables the use of<br /> interrupts.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38530

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: pcl812: Fix bit shift out of bounds<br /> <br /> When checking for a supported IRQ number, the following test is used:<br /> <br /> if ((1 irq_bits) {<br /> <br /> However, `it-&gt;options[i]` is an unchecked `int` value from userspace, so<br /> the shift amount could be negative or out of bounds. Fix the test by<br /> requiring `it-&gt;options[1]` to be within bounds before proceeding with<br /> the original test. Valid `it-&gt;options[1]` values that select the IRQ<br /> will be in the range [1,15]. The value 0 explicitly disables the use of<br /> interrupts.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38531

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: common: st_sensors: Fix use of uninitialize device structs<br /> <br /> Throughout the various probe functions &amp;indio_dev-&gt;dev is used before it<br /> is initialized. This caused a kernel panic in st_sensors_power_enable()<br /> when the call to devm_regulator_bulk_get_enable() fails and then calls<br /> dev_err_probe() with the uninitialized device.<br /> <br /> This seems to only cause a panic with dev_err_probe(), dev_err(),<br /> dev_warn() and dev_info() don&amp;#39;t seem to cause a panic, but are fixed<br /> as well.<br /> <br /> The issue is reported and traced here: [1]
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38532

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: libwx: properly reset Rx ring descriptor<br /> <br /> When device reset is triggered by feature changes such as toggling Rx<br /> VLAN offload, wx-&gt;do_reset() is called to reinitialize Rx rings. The<br /> hardware descriptor ring may retain stale values from previous sessions.<br /> And only set the length to 0 in rx_desc[0] would result in building<br /> malformed SKBs. Fix it to ensure a clean slate after device reset.<br /> <br /> [ 549.186435] [ C16] ------------[ cut here ]------------<br /> [ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814!<br /> [ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary)<br /> [ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024<br /> [ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510<br /> [ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8<br /> [ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282<br /> [ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2<br /> [ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40<br /> [ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e<br /> [ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200<br /> [ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2<br /> [ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000<br /> [ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0<br /> [ 549.186505] [ C16] PKRU: 55555554<br /> [ 549.186507] [ C16] Call Trace:<br /> [ 549.186510] [ C16] <br /> [ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.186517] [ C16] __skb_pad+0xc7/0xf0<br /> [ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx]<br /> [ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx]<br /> [ 549.186540] [ C16] __napi_poll+0x28/0x190<br /> [ 549.186544] [ C16] net_rx_action+0x301/0x3f0<br /> [ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50<br /> [ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160<br /> [ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0<br /> [ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130<br /> [ 549.186572] [ C16] common_interrupt+0xb8/0xd0<br /> [ 549.186576] [ C16] <br /> [ 549.186577] [ C16] <br /> [ 549.186579] [ C16] asm_common_interrupt+0x22/0x40<br /> [ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420<br /> [ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d<br /> [ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246<br /> [ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000<br /> [ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3<br /> [ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000<br /> [ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40<br /> [ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000<br /> [ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420<br /> [ 549.186605] [ C16] cpuidle_en<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38533

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: libwx: fix the using of Rx buffer DMA<br /> <br /> The wx_rx_buffer structure contained two DMA address fields: &amp;#39;dma&amp;#39; and<br /> &amp;#39;page_dma&amp;#39;. However, only &amp;#39;page_dma&amp;#39; was actually initialized and used<br /> to program the Rx descriptor. But &amp;#39;dma&amp;#39; was uninitialized and used in<br /> some paths.<br /> <br /> This could lead to undefined behavior, including DMA errors or<br /> use-after-free, if the uninitialized &amp;#39;dma&amp;#39; was used. Althrough such<br /> error has not yet occurred, it is worth fixing in the code.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38522

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/ext: Prevent update_locked_rq() calls with NULL rq<br /> <br /> Avoid invoking update_locked_rq() when the runqueue (rq) pointer is NULL<br /> in the SCX_CALL_OP and SCX_CALL_OP_RET macros.<br /> <br /> Previously, calling update_locked_rq(NULL) with preemption enabled could<br /> trigger the following warning:<br /> <br /> BUG: using __this_cpu_write() in preemptible [00000000]<br /> <br /> This happens because __this_cpu_write() is unsafe to use in preemptible<br /> context.<br /> <br /> rq is NULL when an ops invoked from an unlocked context. In such cases, we<br /> don&amp;#39;t need to store any rq, since the value should already be NULL<br /> (unlocked). Ensure that update_locked_rq() is only called when rq is<br /> non-NULL, preventing calling __this_cpu_write() on preemptible context.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-38523

Publication date:
16/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix the smbd_response slab to allow usercopy<br /> <br /> The handling of received data in the smbdirect client code involves using<br /> copy_to_iter() to copy data from the smbd_reponse struct&amp;#39;s packet trailer<br /> to a folioq buffer provided by netfslib that encapsulates a chunk of<br /> pagecache.<br /> <br /> If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks<br /> then performed in copy_to_iter() oopsing with something like the following:<br /> <br /> CIFS: Attempting to mount //172.31.9.1/test<br /> CIFS: VFS: RDMA transport established<br /> usercopy: Kernel memory exposure attempt detected from SLUB object &amp;#39;smbd_response_0000000091e24ea1&amp;#39; (offset 81, size 63)!<br /> ------------[ cut here ]------------<br /> kernel BUG at mm/usercopy.c:102!<br /> ...<br /> RIP: 0010:usercopy_abort+0x6c/0x80<br /> ...<br /> Call Trace:<br /> <br /> __check_heap_object+0xe3/0x120<br /> __check_object_size+0x4dc/0x6d0<br /> smbd_recv+0x77f/0xfe0 [cifs]<br /> cifs_readv_from_socket+0x276/0x8f0 [cifs]<br /> cifs_read_from_socket+0xcd/0x120 [cifs]<br /> cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]<br /> kthread+0x396/0x830<br /> ret_from_fork+0x2b8/0x3b0<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> The problem is that the smbd_response slab&amp;#39;s packet field isn&amp;#39;t marked as<br /> being permitted for usercopy.<br /> <br /> Fix this by passing parameters to kmem_slab_create() to indicate that<br /> copy_to_iter() is permitted from the packet region of the smbd_response<br /> slab objects, less the header space.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025