Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-57939

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Fix sleeping in invalid context in die()<br /> <br /> die() can be called in exception handler, and therefore cannot sleep.<br /> However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.<br /> That causes the following warning:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex<br /> preempt_count: 110001, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234<br /> Hardware name: riscv-virtio,qemu (DT)<br /> Call Trace:<br /> dump_backtrace+0x1c/0x24<br /> show_stack+0x2c/0x38<br /> dump_stack_lvl+0x5a/0x72<br /> dump_stack+0x14/0x1c<br /> __might_resched+0x130/0x13a<br /> rt_spin_lock+0x2a/0x5c<br /> die+0x24/0x112<br /> do_trap_insn_illegal+0xa0/0xea<br /> _new_vmalloc_restore_context_a0+0xcc/0xd8<br /> Oops - illegal instruction [#1]<br /> <br /> Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT<br /> enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2025

CVE-2024-57935

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hns: Fix accessing invalid dip_ctx during destroying QP<br /> <br /> If it fails to modify QP to RTR, dip_ctx will not be attached. And<br /> during detroying QP, the invalid dip_ctx pointer will be accessed.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-57936

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix max SGEs for the Work Request<br /> <br /> Gen P7 supports up to 13 SGEs for now. WQE software structure<br /> can hold only 6 now. Since the max send sge is reported as<br /> 13, the stack can give requests up to 13 SGEs. This is causing<br /> traffic failures and system crashes.<br /> <br /> Use the define for max SGE supported for variable size. This<br /> will work for both static and variable WQEs.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2025-0614

Publication date:
21/01/2025
Input validation vulnerability in Qualifio&amp;#39;s Wheel of Fortune. This vulnerability could allow an attacker to modify a single email to contain upper and lower case characters in order to access the application and win prizes as many times as wanted.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2025-0615

Publication date:
21/01/2025
Input validation vulnerability in Qualifio&amp;#39;s Wheel of Fortune. This vulnerability allows an attacker to modify an email to contain the ‘+’ symbol to access the application and win prizes as many times as wanted.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-57937

Publication date:
21/01/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2024-57938

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sctp: Prevent autoclose integer overflow in sctp_association_init()<br /> <br /> While by default max_autoclose equals to INT_MAX / HZ, one may set<br /> net.sctp.max_autoclose to UINT_MAX. There is code in<br /> sctp_association_init() that can consequently trigger overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2024-57934

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fgraph: Add READ_ONCE() when accessing fgraph_array[]<br /> <br /> In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[]<br /> elements, which are fgraph_ops. The loop checks if an element is a<br /> fgraph_stub to prevent using a fgraph_stub afterward.<br /> <br /> However, if the compiler reloads fgraph_array[] after this check, it might<br /> race with an update to fgraph_array[] that introduces a fgraph_stub. This<br /> could result in the stub being processed, but the stub contains a null<br /> "func_hash" field, leading to a NULL pointer dereference.<br /> <br /> To ensure that the gops compared against the fgraph_stub matches the gops<br /> processed later, add a READ_ONCE(). A similar patch appears in commit<br /> 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]").
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2024-57930

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Have process_string() also allow arrays<br /> <br /> In order to catch a common bug where a TRACE_EVENT() TP_fast_assign()<br /> assigns an address of an allocated string to the ring buffer and then<br /> references it in TP_printk(), which can be executed hours later when the<br /> string is free, the function test_event_printk() runs on all events as<br /> they are registered to make sure there&amp;#39;s no unwanted dereferencing.<br /> <br /> It calls process_string() to handle cases in TP_printk() format that has<br /> "%s". It returns whether or not the string is safe. But it can have some<br /> false positives.<br /> <br /> For instance, xe_bo_move() has:<br /> <br /> TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",<br /> __entry-&gt;move_lacks_source ? "yes" : "no", __entry-&gt;bo, __entry-&gt;size,<br /> xe_mem_type_to_name[__entry-&gt;old_placement],<br /> xe_mem_type_to_name[__entry-&gt;new_placement], __get_str(device_id))<br /> <br /> Where the "%s" references into xe_mem_type_to_name[]. This is an array of<br /> pointers that should be safe for the event to access. Instead of flagging<br /> this as a bad reference, if a reference points to an array, where the<br /> record field is the index, consider it safe.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-57931

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> selinux: ignore unknown extended permissions<br /> <br /> When evaluating extended permissions, ignore unknown permissions instead<br /> of calling BUG(). This commit ensures that future permissions can be<br /> added without interfering with older kernels.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-57932

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: guard XDP xmit NDO on existence of xdp queues<br /> <br /> In GVE, dedicated XDP queues only exist when an XDP program is installed<br /> and the interface is up. As such, the NDO XDP XMIT callback should<br /> return early if either of these conditions are false.<br /> <br /> In the case of no loaded XDP program, priv-&gt;num_xdp_queues=0 which can<br /> cause a divide-by-zero error, and in the case of interface down,<br /> num_xdp_queues remains untouched to persist XDP queue count for the next<br /> interface up, but the TX pointer itself would be NULL.<br /> <br /> The XDP xmit callback also needs to synchronize with a device<br /> transitioning from open to close. This synchronization will happen via<br /> the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,<br /> which waits for any RCU critical sections at call-time to complete.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-57933

Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: guard XSK operations on the existence of queues<br /> <br /> This patch predicates the enabling and disabling of XSK pools on the<br /> existence of queues. As it stands, if the interface is down, disabling<br /> or enabling XSK pools would result in a crash, as the RX queue pointer<br /> would be NULL. XSK pool registration will occur as part of the next<br /> interface up.<br /> <br /> Similarly, xsk_wakeup needs be guarded against queues disappearing<br /> while the function is executing, so a check against the<br /> GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the<br /> disabling of the bit and the synchronize_net() in gve_turndown.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2025