Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-71274
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpmsg: core: fix race in driver_override_show() and use core helper<br /> <br /> The driver_override_show function reads the driver_override string<br /> without holding the device_lock. However, the store function modifies<br /> and frees the string while holding the device_lock. This creates a race<br /> condition where the string can be freed by the store function while<br /> being read by the show function, leading to a use-after-free.<br /> <br /> To fix this, replace the rpmsg_string_attr macro with explicit show and<br /> store functions. The new driver_override_store uses the standard<br /> driver_set_override helper. Since the introduction of<br /> driver_set_override, the comments in include/linux/rpmsg.h have stated<br /> that this helper must be used to set or clear driver_override, but the<br /> implementation was not updated until now.<br /> <br /> Because driver_set_override modifies and frees the string while holding<br /> the device_lock, the new driver_override_show now correctly holds the<br /> device_lock during the read operation to prevent the race.<br /> <br /> Additionally, since rpmsg_string_attr has only ever been used for<br /> driver_override, removing the macro simplifies the code.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2025-71271
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: ensure sb-&gt;s_fs_info is always cleaned up<br /> <br /> When hfsplus was converted to the new mount api a bug was introduced by<br /> changing the allocation pattern of sb-&gt;s_fs_info. If setup_bdev_super()<br /> fails after a new superblock has been allocated by sget_fc(), but before<br /> hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info<br /> data it was leaked.<br /> <br /> Fix this by freeing sb-&gt;s_fs_info in hfsplus_kill_super().
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2025-71273
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()<br /> <br /> Simplify the code by using device managed memory allocations.<br /> <br /> This also fixes a memory leak in rtw_register_hw(). The supported bands<br /> were not freed in the error path.<br /> <br /> Copied from commit 145df52a8671 ("wifi: rtw89: Convert<br /> rtw89_core_set_supported_band to use devm_*").
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2025-71272
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> most: core: fix resource leak in most_register_interface error paths<br /> <br /> The function most_register_interface() did not correctly release resources<br /> if it failed early (before registering the device). In these cases, it<br /> returned an error code immediately, leaking the memory allocated for the<br /> interface.<br /> <br /> Fix this by initializing the device early via device_initialize() and<br /> calling put_device() on all error paths.<br /> <br /> The most_register_interface() is expected to call put_device() on<br /> error which frees the resources allocated in the caller. The<br /> put_device() either calls release_mdev() or dim2_release(),<br /> depending on the caller.<br /> <br /> Switch to using device_add() instead of device_register() to handle<br /> the split initialization.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2025-71288
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: mtk-smi: fix device leaks on common probe<br /> <br /> Make sure to drop the reference taken when looking up the SMI device<br /> during common probe on late probe failure (e.g. probe deferral) and on<br /> driver unbind.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2025-71287
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: mtk-smi: fix device leak on larb probe<br /> <br /> Make sure to drop the reference taken when looking up the SMI device<br /> during larb probe on late probe failure (e.g. probe deferral) and on<br /> driver unbind.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2025-31951
Publication date:
06/05/2026
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component&amp;#39;s input handling was identified that could permit unauthorized command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-62345
Publication date:
06/05/2026
HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure “Input Text” Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-6420
Publication date:
06/05/2026
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59854
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP).
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59853
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application&amp;#39;s internal structure, code logic, and environment configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59852
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026
Subscribe to Vulnerabilities