Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-46230

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg<br /> <br /> Check bounds against the end of the BO whenever we access the msg.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46229

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure<br /> <br /> KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE<br /> but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated<br /> VRAM with stale data from prior use observable by compute kernels.<br /> <br /> The GEM ioctl path already sets VRAM_CLEARED for all userspace<br /> allocations via amdgpu_gem_create_ioctl() and<br /> amdgpu_mode_dumb_create(). The KFD path was missing this flag,<br /> allowing stale page table remnants to leak into user buffers.<br /> <br /> This causes crashes in RCCL P2P transport where non-zero data in<br /> ptrExchange/head/tail fields corrupts the protocol handshake.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46228

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: ch341: fix devres lifetime<br /> <br /> USB drivers bind to USB interfaces and any device managed resources<br /> should have their lifetime tied to the interface rather than parent USB<br /> device. This avoids issues like memory leaks when drivers are unbound<br /> without their devices being physically disconnected (e.g. on probe<br /> deferral or configuration changes).<br /> <br /> Fix the controller and driver data lifetime so that they are released<br /> on driver unbind.<br /> <br /> Note that this also makes sure that the SPI controller is placed<br /> correctly under the USB interface in the device tree.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46227

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL<br /> <br /> The SCTP_SENDALL path in sctp_sendmsg() iterates ep-&gt;asocs with<br /> list_for_each_entry_safe(), which caches the next entry in @tmp before<br /> the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may<br /> drop the socket lock inside sctp_wait_for_sndbuf().<br /> <br /> While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the<br /> association cached in @tmp, migrating it to a new endpoint via<br /> sctp_sock_migrate() (list_del_init() + list_add_tail() to<br /> newep-&gt;asocs), and optionally close the new socket which frees the<br /> association via kfree_rcu(). The cached @tmp can also be freed by a<br /> network ABORT for that association, processed in softirq while the<br /> lock is dropped.<br /> <br /> sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock<br /> via the "sk != asoc-&gt;base.sk" and "asoc-&gt;base.dead" checks, but nothing<br /> revalidates @tmp. After a successful return, the iterator advances to<br /> the stale @tmp, yielding either a use-after-free (if the peeled socket<br /> was closed) or a list-walk onto the new endpoint&amp;#39;s list head (type<br /> confusion of &amp;newep-&gt;asocs as a struct sctp_association *).<br /> <br /> Both are reachable from CapEff=0; the type-confusion path gives<br /> controlled indirect call via the outqueue.sched-&gt;init_sid pointer.<br /> <br /> Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()<br /> returns. @asoc is known to still be on ep-&gt;asocs at that point: the<br /> only callers that list_del an association from ep-&gt;asocs are<br /> sctp_association_free() (which sets asoc-&gt;base.dead) and<br /> sctp_assoc_migrate() (which changes asoc-&gt;base.sk), and<br /> sctp_wait_for_sndbuf() checks both under the lock before any<br /> successful return; a tripped check propagates as err
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-46219

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: mpc52xx: fix use-after-free on unbind<br /> <br /> The state machine work is scheduled by the interrupt handler and<br /> therefore needs to be cancelled after disabling interrupts to avoid a<br /> potential use-after-free.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46220

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission<br /> <br /> sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr &amp; 0x3) assertions<br /> that verify fence writeback addresses are dword-aligned. These<br /> assertions can be reached from unprivileged userspace via crafted<br /> DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a<br /> scheduler worker thread.<br /> <br /> Replace both BUG_ON() calls with WARN_ON() to log the condition without<br /> crashing the kernel. A misaligned fence address at this point indicates<br /> a driver bug, but crashing the kernel is never the correct response when<br /> the assertion is reachable from userspace.<br /> <br /> The CS IOCTL path is the correct place to filter invalid submissions;<br /> the ring emission callback is too late to do anything about it.<br /> <br /> (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46221

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EDAC/versalnet: Fix device name memory leak<br /> <br /> The device name allocated via kzalloc() in init_one_mc() is assigned to<br /> dev-&gt;init_name but never freed on the normal removal path. device_register()<br /> copies init_name and then sets dev-&gt;init_name to NULL, so the name pointer<br /> becomes unreachable from the device. Thus leaking memory.<br /> <br /> Use a stack-local char array instead of using kzalloc() for name.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46222

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads<br /> <br /> The pads missed checks for connected devices which may a null dereference<br /> when the stream is enabled.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> 0000000000000020<br /> pc : rkcif_interface_enable_streams+0x48/0xf0<br /> lr : rkcif_interface_enable_streams+0x44/0xf0<br /> Call trace:<br /> rkcif_interface_enable_streams+0x48/0xf0<br /> v4l2_subdev_enable_streams+0x26c/0x3f0<br /> rkcif_stream_start_streaming+0x140/0x278<br /> vb2_start_streaming+0x74/0x188<br /> vb2_core_streamon+0xe0/0x1d8<br /> vb2_ioctl_streamon+0x60/0xa8<br /> v4l_streamon+0x2c/0x40<br /> __video_do_ioctl+0x34c/0x400<br /> video_usercopy+0x2d0/0x800<br /> video_ioctl2+0x20/0x60<br /> v4l2_ioctl+0x48/0x78
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46218

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Add bounds checking to ib_{get,set}_value<br /> <br /> The uvd/vce/vcn code accesses the IB at predefined offsets without<br /> checking that the IB is large enough. Check the bounds here. The caller<br /> is responsible for making sure it can handle arbitrary return values.<br /> <br /> Also make the idx a uint32_t to prevent overflows causing the condition<br /> to fail.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46216

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()<br /> <br /> When media GT is disabled via configfs, there is no allocation for<br /> media_gt, which is kept as NULL. In such scenario,<br /> intel_hdcp_gsc_check_status() results in a kernel pagefault error due to<br /> &amp;gt-&gt;uc.gsc being evaluated as an invalid memory address.<br /> <br /> Fix that by introducing a NULL check on media_gt and bailing out early<br /> if so.<br /> <br /> While at it, also drop the NULL check for gsc, since it can&amp;#39;t be NULL if<br /> media_gt is not NULL.<br /> <br /> v2:<br /> - Get address for gsc only after checking that gt is not NULL.<br /> (Shuicheng)<br /> - Drop the NULL check for gsc. (Shuicheng)<br /> v3:<br /> - Add "Fixes" and "Cc: " tags. (Matt)<br /> <br /> (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46214

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock/virtio: fix accept queue count leak on transport mismatch<br /> <br /> virtio_transport_recv_listen() calls sk_acceptq_added() before<br /> vsock_assign_transport(). If vsock_assign_transport() fails or<br /> selects a different transport, the error path returns without<br /> calling sk_acceptq_removed(), permanently incrementing<br /> sk_ack_backlog.<br /> <br /> After approximately backlog+1 such failures, sk_acceptq_is_full()<br /> returns true, causing the listener to reject all new connections.<br /> <br /> Fix by moving sk_acceptq_added() to after the transport validation,<br /> matching the pattern used by vmci_transport and hyperv_transport.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46223

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated<br /> <br /> A chain of commits going back to v7.0 reworked rmdir to satisfy the<br /> controller invariant that a subsystem&amp;#39;s -&gt;css_offline() must not run while<br /> tasks are still doing kernel-side work in the cgroup.<br /> <br /> [1] d245698d727a ("cgroup: Defer task cgroup unlink until after the task is done switching out")<br /> [2] a72f73c4dd9b ("cgroup: Don&amp;#39;t expose dead tasks in cgroup")<br /> [3] 1b164b876c36 ("cgroup: Wait for dying tasks to leave on rmdir")<br /> [4] 4c56a8ac6869 ("cgroup: Fix cgroup_drain_dying() testing the wrong condition")<br /> [5] 13e786b64bd3 ("cgroup: Increment nr_dying_subsys_* from rmdir context")<br /> <br /> [1] moved task cset unlink from do_exit() to finish_task_switch() so a<br /> task&amp;#39;s cset link drops only after the task has fully stopped scheduling.<br /> That made tasks past exit_signals() linger on cset-&gt;tasks until their final<br /> context switch, which led to a series of problems as what userspace expected<br /> to see after rmdir diverged from what the kernel needs to wait for. [2]-[5]<br /> tried to bridge that divergence: [2] filtered the exiting tasks from<br /> cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4]<br /> fixed the wait&amp;#39;s condition; [5] made nr_dying_subsys_* visible<br /> synchronously.<br /> <br /> The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the<br /> rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g.<br /> host PID 1 systemd reaping orphan pids that were re-parented to it during<br /> the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those<br /> pids to free, the pids can&amp;#39;t free because PID 1 is the reaper and it&amp;#39;s stuck<br /> in rmdir, and the system A-A deadlocks. No internal lock ordering breaks<br /> this; the wait itself is the bug.<br /> <br /> The css killing side that drove the original reorder, however, can be made<br /> cleanly asynchronous: -&gt;css_offline() is already async, run from<br /> css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to<br /> make that chain start only after all tasks have left the cgroup. rmdir&amp;#39;s<br /> user-visible side then returns as soon as cgroup.procs and friends are<br /> empty, while -&gt;css_offline() still runs only after the cgroup is fully<br /> drained.<br /> <br /> Verified by the original reproducer (pidns teardown + zombie reaper, runs<br /> under vng) which hangs vanilla and succeeds here, and by per-commit<br /> deterministic repros for [2], [3], [4], [5] with a boot parameter that<br /> widens the post-exit_signals() window so each state is reliably reachable.<br /> Some stress tests on top of that.<br /> <br /> cgroup_apply_control_disable() has the same shape of pre-existing race:<br /> when a controller is disabled via subtree_control, kill_css() ran<br /> synchronously while tasks past exit_signals() could still be linked to<br /> the cgroup&amp;#39;s csets, and -&gt;css_offline() could fire before they drained.<br /> This patch preserves the existing synchronous behavior at that call site<br /> (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch<br /> will defer kill_css_finish() there using a per-css trigger.<br /> <br /> This seems like the right approach and I don&amp;#39;t see problems with it. The<br /> changes are somewhat invasive but not excessively so, so backporting to<br /> -stable should be okay. If something does turn out to be wrong, the fallback<br /> is to revert the entire chain ([1]-[5]) and rework in the development branch<br /> instead.<br /> <br /> v2: Pin cgrp across the deferred destroy work with explicit<br /> cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1<br /> wasn&amp;#39;t actually broken (ordered cgroup_offline_wq + queue_work order<br /> in cgroup_task_dead() saved it) but the explicit ref removes the<br /> dependency on those non-obvious invariants. Also note the<br /> pre-existing cgroup_apply_control_disable() race in the description;<br /> a follow-up will defer kill_css_finish() there.
Gravedad CVSS v3.1: MEDIA
Última modificación:
11/06/2026