Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-43120
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/irdma: Fix double free related to rereg_user_mr<br /> <br /> If IB_MR_REREG_TRANS is set during rereg_user_mr, the<br /> umem will be released and a new one will be allocated<br /> in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans<br /> fails after the new umem is allocated, it releases the umem,<br /> but does not set iwmr-&gt;region to NULL. The problem is that<br /> this failure is propagated to the user, who will then call<br /> ibv_dereg_mr (as they should). Then, the dereg_mr path will<br /> see a non-NULL umem and attempt to call ib_umem_release again.<br /> <br /> Fix this by setting iwmr-&gt;region to NULL after ib_umem_release.<br /> <br /> Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-43112
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath<br /> <br /> When cifs_sanitize_prepath is called with an empty string or a string<br /> containing only delimiters (e.g., "/"), the current logic attempts to<br /> check *(cursor2 - 1) before cursor2 has advanced. This results in an<br /> out-of-bounds read.<br /> <br /> This patch adds an early exit check after stripping prepended<br /> delimiters. If no path content remains, the function returns NULL.<br /> <br /> The bug was identified via manual audit and verified using a<br /> standalone test case compiled with AddressSanitizer, which<br /> triggered a SEGV on affected inputs.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43111
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: roccat: fix use-after-free in roccat_report_event<br /> <br /> roccat_report_event() iterates over the device-&gt;readers list without<br /> holding the readers_lock. This allows a concurrent roccat_release() to<br /> remove and free a reader while it&amp;#39;s still being accessed, leading to a<br /> use-after-free.<br /> <br /> Protect the readers list traversal with the readers_lock mutex.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43110
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: validate bsscfg indices in IF events<br /> <br /> brcmf_fweh_handle_if_event() validates the firmware-provided interface<br /> index before it touches drvr-&gt;iflist[], but it still uses the raw<br /> bsscfgidx field as an array index without a matching range check.<br /> <br /> Reject IF events whose bsscfg index does not fit in drvr-&gt;iflist[]<br /> before indexing the interface array.<br /> <br /> [add missing wifi prefix]
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43108
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei<br /> <br /> It looks element length declared in servreg_loc_pfr_req_ei for reason<br /> not matching servreg_loc_pfr_req&amp;#39;s reason field due which we could<br /> observe decoding error on PD crash.<br /> <br /> qmi_decode_string_elem: String len 81 &gt;= Max Len 65<br /> <br /> Fix this by matching with servreg_loc_pfr_req&amp;#39;s reason field.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-43107
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: account XFRMA_IF_ID in aevent size calculation<br /> <br /> xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then<br /> build_aevent() appends attributes including XFRMA_IF_ID when x-&gt;if_id is<br /> set.<br /> <br /> xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states<br /> with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-43106
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: fix incorrect dentry refcount in cachefiles_cull()<br /> <br /> The patch mentioned below changed cachefiles_bury_object() to expect 2<br /> references to the &amp;#39;rep&amp;#39; dentry. Three of the callers were changed to<br /> use start_removing_dentry() which takes an extra reference so in those<br /> cases the call gets the expected references.<br /> <br /> However there is another call to cachefiles_bury_object() in<br /> cachefiles_cull() which did not need to be changed to use<br /> start_removing_dentry() and so was not properly considered.<br /> It still passed the dentry with just one reference so the net result is<br /> that a reference is lost.<br /> <br /> To meet the expectations of cachefiles_bury_object(), cachefiles_cull()<br /> must take an extra reference before the call. It will be dropped by<br /> cachefiles_bury_object().
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-43105
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vc4: Fix memory leak of BO array in hang state<br /> <br /> The hang state&amp;#39;s BO array is allocated separately with kzalloc() in<br /> vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the<br /> missing kfree() for the BO array before freeing the hang state struct.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-43109
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86: shadow stacks: proper error handling for mmap lock<br /> <br /> 김영민 reports that shstk_pop_sigframe() doesn&amp;#39;t check for errors from<br /> mmap_read_lock_killable(), which is a silly oversight, and also shows<br /> that we haven&amp;#39;t marked those functions with "__must_check", which would<br /> have immediately caught it.<br /> <br /> So let&amp;#39;s fix both issues.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-43096
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mshv: Fix infinite fault loop on permission-denied GPA intercepts<br /> <br /> Prevent infinite fault loops when guests access memory regions without<br /> proper permissions. Currently, mshv_handle_gpa_intercept() attempts to<br /> remap pages for all faults on movable memory regions, regardless of<br /> whether the access type is permitted. When a guest writes to a read-only<br /> region, the remap succeeds but the region remains read-only, causing<br /> immediate re-fault and spinning the vCPU indefinitely.<br /> <br /> Validate intercept access type against region permissions before<br /> attempting remaps. Reject writes to non-writable regions and executes to<br /> non-executable regions early, returning false to let the VMM handle the<br /> intercept appropriately.<br /> <br /> This also closes a potential DoS vector where malicious guests could<br /> intentionally trigger these fault loops to consume host resources.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-43104
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vc4: Fix a memory leak in hang state error path<br /> <br /> When vc4_save_hang_state() encounters an early return condition, it<br /> returns without freeing the previously allocated `kernel_state`,<br /> leaking memory.<br /> <br /> Add the missing kfree() calls by consolidating the early return paths<br /> into a single place.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-43103
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: lapbether: handle NETDEV_PRE_TYPE_CHANGE<br /> <br /> lapbeth_data_transmit() expects the underlying device type<br /> to be ARPHRD_ETHER.<br /> <br /> Returning NOTIFY_BAD from lapbeth_device_event() makes sure<br /> bonding driver can not break this expectation.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026
Subscribe to Vulnerabilities