Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6977
Publication date:
25/04/2026
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-31685
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ip6t_eui64: reject invalid MAC header for all packets<br /> <br /> `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address<br /> and compares it with the low 64 bits of the IPv6 source address.<br /> <br /> The existing guard only rejects an invalid MAC header when<br /> `par-&gt;fragoff != 0`. For packets with `par-&gt;fragoff == 0`, `eui64_mt6()`<br /> can still reach `eth_hdr(skb)` even when the MAC header is not valid.<br /> <br /> Fix this by removing the `par-&gt;fragoff != 0` condition so that packets<br /> with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31684
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: act_csum: validate nested VLAN headers<br /> <br /> tcf_csum_act() walks nested VLAN headers directly from skb-&gt;data when an<br /> skb still carries in-payload VLAN tags. The current code reads<br /> vlan-&gt;h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without<br /> first ensuring that the full VLAN header is present in the linear area.<br /> <br /> If only part of an inner VLAN header is linearized, accessing<br /> h_vlan_encapsulated_proto reads past the linear area, and the following<br /> skb_pull(VLAN_HLEN) may violate skb invariants.<br /> <br /> Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and<br /> pulling each nested VLAN header. If the header still is not fully<br /> available, drop the packet through the existing error path.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31683
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: avoid OGM aggregation when skb tailroom is insufficient<br /> <br /> When OGM aggregation state is toggled at runtime, an existing forwarded<br /> packet may have been allocated with only packet_len bytes, while a later<br /> packet can still be selected for aggregation. Appending in this case can<br /> hit skb_put overflow conditions.<br /> <br /> Reject aggregation when the target skb tailroom cannot accommodate the new<br /> packet. The caller then falls back to creating a new forward packet<br /> instead of appending.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31682
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: br_nd_send: linearize skb before parsing ND options<br /> <br /> br_nd_send() parses neighbour discovery options from ns-&gt;opt[] and<br /> assumes that these options are in the linear part of request.<br /> <br /> Its callers only guarantee that the ICMPv6 header and target address<br /> are available, so the option area can still be non-linear. Parsing<br /> ns-&gt;opt[] in that case can access data past the linear buffer.<br /> <br /> Linearize request before option parsing and derive ns from the linear<br /> network header.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31681
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: xt_multiport: validate range encoding in checkentry<br /> <br /> ports_match_v1() treats any non-zero pflags entry as the start of a<br /> port range and unconditionally consumes the next ports[] element as<br /> the range end.<br /> <br /> The checkentry path currently validates protocol, flags and count, but<br /> it does not validate the range encoding itself. As a result, malformed<br /> rules can mark the last slot as a range start or place two range starts<br /> back to back, leaving ports_match_v1() to step past the last valid<br /> ports[] element while interpreting the rule.<br /> <br /> Reject malformed multiport v1 rules in checkentry by validating that<br /> each range start has a following element and that the following element<br /> is not itself marked as another range start.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31680
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: flowlabel: defer exclusive option free until RCU teardown<br /> <br /> `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file<br /> RCU read-side lock and prints `fl-&gt;opt-&gt;opt_nflen` when an option block<br /> is present.<br /> <br /> Exclusive flowlabels currently free `fl-&gt;opt` as soon as `fl-&gt;users`<br /> drops to zero in `fl_release()`. However, the surrounding<br /> `struct ip6_flowlabel` remains visible in the global hash table until<br /> later garbage collection removes it and `fl_free_rcu()` finally tears it<br /> down.<br /> <br /> A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that<br /> early `kfree()` and dereference freed option state, triggering a crash<br /> in `ip6fl_seq_show()`.<br /> <br /> Fix this by keeping `fl-&gt;opt` alive until `fl_free_rcu()`. That matches<br /> the lifetime already required for the enclosing flowlabel while readers<br /> can still reach it under RCU.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31679
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> openvswitch: validate MPLS set/set_masked payload length<br /> <br /> validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for<br /> SET/SET_MASKED actions. In action handling, OVS expects fixed-size<br /> MPLS key data (struct ovs_key_mpls).<br /> <br /> Use the already normalized key_len (masked case included) and reject<br /> non-matching MPLS action key sizes.<br /> <br /> Reject invalid MPLS action payload lengths early.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31678
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> openvswitch: defer tunnel netdev_put to RCU release<br /> <br /> ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already<br /> detached the device. Dropping the netdev reference in destroy can race<br /> with concurrent readers that still observe vport-&gt;dev.<br /> <br /> Do not release vport-&gt;dev in ovs_netdev_tunnel_destroy(). Instead, let<br /> vport_netdev_free() drop the reference from the RCU callback, matching<br /> the non-tunnel destroy path and avoiding additional synchronization<br /> under RTNL.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31677
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: af_alg - limit RX SG extraction by receive buffer budget<br /> <br /> Make af_alg_get_rsgl() limit each RX scatterlist extraction to the<br /> remaining receive buffer budget.<br /> <br /> af_alg_get_rsgl() currently uses af_alg_readable() only as a gate<br /> before extracting data into the RX scatterlist. Limit each extraction<br /> to the remaining af_alg_rcvbuf(sk) budget so that receive-side<br /> accounting matches the amount of data attached to the request.<br /> <br /> If skcipher cannot obtain enough RX space for at least one chunk while<br /> more data remains to be processed, reject the recvmsg call instead of<br /> rounding the request length down to zero.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31676
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: only handle RESPONSE during service challenge<br /> <br /> Only process RESPONSE packets while the service connection is still in<br /> RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before<br /> running response verification and security initialization, then use a local<br /> secured flag to decide whether to queue the secured-connection work after<br /> the state transition. This keeps duplicate or late RESPONSE packets from<br /> re-running the setup path and removes the unlocked post-transition state<br /> test.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31675
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_netem: fix out-of-bounds access in packet corruption<br /> <br /> In netem_enqueue(), the packet corruption logic uses<br /> get_random_u32_below(skb_headlen(skb)) to select an index for<br /> modifying skb-&gt;data. When an AF_PACKET TX_RING sends fully non-linear<br /> packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.<br /> <br /> Passing 0 to get_random_u32_below() takes the variable-ceil slow path<br /> which returns an unconstrained 32-bit random integer. Using this<br /> unconstrained value as an offset into skb-&gt;data results in an<br /> out-of-bounds memory access.<br /> <br /> Fix this by verifying skb_headlen(skb) is non-zero before attempting<br /> to corrupt the linear data area. Fully non-linear packets will silently<br /> bypass the corruption logic.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026
Subscribe to Vulnerabilities