Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-31766
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: validate doorbell_offset in user queue creation<br /> <br /> amdgpu_userq_get_doorbell_index() passes the user-provided<br /> doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds<br /> checking. An arbitrarily large doorbell_offset can cause the<br /> calculated doorbell index to fall outside the allocated doorbell BO,<br /> potentially corrupting kernel doorbell space.<br /> <br /> Validate that doorbell_offset falls within the doorbell BO before<br /> computing the BAR index, using u64 arithmetic to prevent overflow.<br /> <br /> (cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-31767
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/dsi: Don&amp;#39;t do DSC horizontal timing adjustments in command mode<br /> <br /> Stop adjusting the horizontal timing values based on the<br /> compression ratio in command mode. Bspec seems to be telling<br /> us to do this only in video mode, and this is also how the<br /> Windows driver does things.<br /> <br /> This should also fix a div-by-zero on some machines because<br /> the adjusted htotal ends up being so small that we end up with<br /> line_time_us==0 when trying to determine the vtotal value in<br /> command mode.<br /> <br /> Note that this doesn&amp;#39;t actually make the display on the<br /> Huawei Matebook E work, but at least the kernel no longer<br /> explodes when the driver loads.<br /> <br /> (cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-31768
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()<br /> <br /> Add a DMA-safe buffer and use it for spi_read() instead of a stack<br /> memory. All SPI buffers must be DMA-safe.<br /> <br /> Since we only need up to 3 bytes, we just use a u8[] instead of __be16<br /> and __be32 and change the conversion functions appropriately.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-31752
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: br_nd_send: validate ND option lengths<br /> <br /> br_nd_send() walks ND options according to option-provided lengths.<br /> A malformed option can make the parser advance beyond the computed<br /> option span or use a too-short source LLADDR option payload.<br /> <br /> Validate option lengths against the remaining NS option area before<br /> advancing, and only read source LLADDR when the option is large enough<br /> for an Ethernet address.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-31759
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: ulpi: fix double free in ulpi_register_interface() error path<br /> <br /> When device_register() fails, ulpi_register() calls put_device() on<br /> ulpi-&gt;dev.<br /> <br /> The device release callback ulpi_dev_release() drops the OF node<br /> reference and frees ulpi, but the current error path in<br /> ulpi_register_interface() then calls kfree(ulpi) again, causing a<br /> double free.<br /> <br /> Let put_device() handle the cleanup through ulpi_dev_release() and<br /> avoid freeing ulpi again in ulpi_register_interface().
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31758
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: usbtmc: Flush anchored URBs in usbtmc_release<br /> <br /> When calling usbtmc_release, pending anchored URBs must be flushed or<br /> killed to prevent use-after-free errors (e.g. in the HCD giveback<br /> path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31757
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: misc: usbio: Fix URB memory leak on submit failure<br /> <br /> When usb_submit_urb() fails in usbio_probe(), the previously allocated<br /> URB is never freed, causing a memory leak.<br /> <br /> Fix this by jumping to err_free_urb label to properly release the URB<br /> on the error path.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31756
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()<br /> <br /> dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,<br /> which expects hsotg-&gt;lock to be held since it does spin_unlock/spin_lock<br /> around the gadget driver callback invocation.<br /> <br /> However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()<br /> without holding the lock. This leads to:<br /> - spin_unlock on a lock that is not held (undefined behavior)<br /> - The lock remaining held after dwc2_gadget_exit_clock_gating() returns,<br /> causing a deadlock when spin_lock_irqsave() is called later in the<br /> same function.<br /> <br /> Fix this by acquiring hsotg-&gt;lock before calling<br /> dwc2_gadget_exit_clock_gating() and releasing it afterwards, which<br /> satisfies the locking requirement of the call_gadget() macro.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31755
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3: gadget: fix NULL pointer dereference in ep_queue<br /> <br /> When the gadget endpoint is disabled or not yet configured, the ep-&gt;desc<br /> pointer can be NULL. This leads to a NULL pointer dereference when<br /> __cdns3_gadget_ep_queue() is called, causing a kernel crash.<br /> <br /> Add a check to return -ESHUTDOWN if ep-&gt;desc is NULL, which is the<br /> standard return code for unconfigured endpoints.<br /> <br /> This prevents potential crashes when ep_queue is called on endpoints<br /> that are not ready.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31754
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3: gadget: fix state inconsistency on gadget init failure<br /> <br /> When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode<br /> while software state remains INACTIVE, creating hardware/software state<br /> inconsistency.<br /> <br /> When switching to host mode via sysfs:<br /> echo host &gt; /sys/class/usb_role/13180000.usb-role-switch/role<br /> <br /> The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,<br /> so cdns_role_stop() skips cleanup because state is still INACTIVE.<br /> This violates the DRD controller design specification (Figure22),<br /> which requires returning to idle state before switching roles.<br /> <br /> This leads to a synchronous external abort in xhci_gen_setup() when<br /> setting up the host controller:<br /> <br /> [ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19<br /> [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget<br /> [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed<br /> ...<br /> [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller<br /> [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP<br /> [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408<br /> [ 1301.393391] backtrace:<br /> ...<br /> xhci_gen_setup+0xa4/0x408
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31753
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> auxdisplay: line-display: fix NULL dereference in linedisp_release<br /> <br /> linedisp_release() currently retrieves the enclosing struct linedisp via<br /> to_linedisp(). That lookup depends on the attachment list, but the<br /> attachment may already have been removed before put_device() invokes the<br /> release callback. This can happen in linedisp_unregister(), and can also<br /> be reached from some linedisp_register() error paths.<br /> <br /> In that case, to_linedisp() returns NULL and linedisp_release()<br /> dereferences it while freeing the display resources.<br /> <br /> The struct device released here is the embedded linedisp-&gt;dev used by<br /> linedisp_register(), so retrieve the enclosing object directly with<br /> container_of() instead.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-31751
Publication date:
01/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: dt2815: add hardware detection to prevent crash<br /> <br /> The dt2815 driver crashes when attached to I/O ports without actual<br /> hardware present. This occurs because syzkaller or users can attach<br /> the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.<br /> <br /> When no hardware exists at the specified port, inb() operations return<br /> 0xff (floating bus), but outb() operations can trigger page faults due<br /> to undefined behavior, especially under race conditions:<br /> <br /> BUG: unable to handle page fault for address: 000000007fffff90<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> RIP: 0010:dt2815_attach+0x6e0/0x1110<br /> <br /> Add hardware detection by reading the status register before attempting<br /> any write operations. If the read returns 0xff, assume no hardware is<br /> present and fail the attach with -ENODEV. This prevents crashes from<br /> outb() operations on non-existent hardware.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026
Subscribe to Vulnerabilities