Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las ultimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las ultimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las ultimas vulnerabilidades incorporadas al repositorio.

CVE-2023-53306

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsdax: force clear dirty mark if CoW<br /> <br /> XFS allows CoW on non-shared extents to combat fragmentation[1]. The old<br /> non-shared extent could be mwrited before, its dax entry is marked dirty. <br /> <br /> This results in a WARNing:<br /> <br /> [ 28.512349] ------------[ cut here ]------------<br /> [ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390<br /> [ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables<br /> [ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117<br /> [ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014<br /> [ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390<br /> [ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48<br /> [ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086<br /> [ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b<br /> [ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff<br /> [ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8<br /> [ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155<br /> [ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8<br /> [ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000<br /> [ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0<br /> [ 28.520863] PKRU: 55555554<br /> [ 28.521043] Call Trace:<br /> [ 28.521219] <br /> [ 28.521368] dax_fault_iter+0x196/0x390<br /> [ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0<br /> [ 28.521852] __xfs_filemap_fault+0x234/0x2b0<br /> [ 28.522116] __do_fault+0x30/0x130<br /> [ 28.522334] do_fault+0x193/0x340<br /> [ 28.522586] __handle_mm_fault+0x2d3/0x690<br /> [ 28.522975] handle_mm_fault+0xe6/0x2c0<br /> [ 28.523259] do_user_addr_fault+0x1bc/0x6f0<br /> [ 28.523521] exc_page_fault+0x60/0x140<br /> [ 28.523763] asm_exc_page_fault+0x22/0x30<br /> [ 28.524001] RIP: 0033:0x7f14a0b589ca<br /> [ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90<br /> [ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202<br /> [ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046<br /> [ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000<br /> [ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000<br /> [ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c<br /> [ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0<br /> [ 28.527449] <br /> [ 28.527600] ---[ end trace 0000000000000000 ]---<br /> <br /> <br /> To be able to delete this entry, clear its dirty mark before<br /> invalidate_inode_pages2_range().<br /> <br /> [1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53307

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails<br /> <br /> If getting an ID or setting up a work queue in rbd_dev_create() fails,<br /> use-after-free on rbd_dev-&gt;rbd_client, rbd_dev-&gt;spec and rbd_dev-&gt;opts<br /> is triggered in do_rbd_add(). The root cause is that the ownership of<br /> these structures is transfered to rbd_dev prematurely and they all end<br /> up getting freed when rbd_dev_create() calls rbd_dev_free() prior to<br /> returning to do_rbd_add().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE, an<br /> incomplete patch submitted by Natalia Petrova .
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53308

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Better handle pm_runtime_get() failing in .remove()<br /> <br /> In the (unlikely) event that pm_runtime_get() (disguised as<br /> pm_runtime_resume_and_get()) fails, the remove callback returned an<br /> error early. The problem with this is that the driver core ignores the<br /> error value and continues removing the device. This results in a<br /> resource leak. Worse the devm allocated resources are freed and so if a<br /> callback of the driver is called later the register mapping is already<br /> gone which probably results in a crash.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53309

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: Fix integer overflow in radeon_cs_parser_init<br /> <br /> The type of size is unsigned, if size is 0x40000000, there will be an<br /> integer overflow, size will be zero after size *= sizeof(uint32_t),<br /> will cause uninitialized memory to be referenced later
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53310

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: axp288_fuel_gauge: Fix external_power_changed race<br /> <br /> fuel_gauge_external_power_changed() dereferences info-&gt;bat,<br /> which gets sets in axp288_fuel_gauge_probe() like this:<br /> <br /> info-&gt;bat = devm_power_supply_register(dev, &amp;fuel_gauge_desc, &amp;psy_cfg);<br /> <br /> As soon as devm_power_supply_register() has called device_add()<br /> the external_power_changed callback can get called. So there is a window<br /> where fuel_gauge_external_power_changed() may get called while<br /> info-&gt;bat has not been set yet leading to a NULL pointer dereference.<br /> <br /> Fixing this is easy. The external_power_changed callback gets passed<br /> the power_supply which will eventually get stored in info-&gt;bat,<br /> so fuel_gauge_external_power_changed() can simply directly use<br /> the passed in psy argument which is always valid.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53311

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput<br /> <br /> During unmount process of nilfs2, nothing holds nilfs_root structure after<br /> nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,<br /> nilfs_evict_inode() could cause use-after-free read for nilfs_root if<br /> inodes are left in "garbage_list" and released by nilfs_dispose_list at<br /> the end of nilfs_detach_log_writer(), and this bug was fixed by commit<br /> 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in<br /> nilfs_evict_inode()").<br /> <br /> However, it turned out that there is another possibility of UAF in the<br /> call path where mark_inode_dirty_sync() is called from iput():<br /> <br /> nilfs_detach_log_writer()<br /> nilfs_dispose_list()<br /> iput()<br /> mark_inode_dirty_sync()<br /> __mark_inode_dirty()<br /> nilfs_dirty_inode()<br /> __nilfs_mark_inode_dirty()<br /> nilfs_load_inode_block() --&gt; causes UAF of nilfs_root struct<br /> <br /> This can happen after commit 0ae45f63d4ef ("vfs: add support for a<br /> lazytime mount option"), which changed iput() to call<br /> mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME<br /> flag and i_nlink is non-zero.<br /> <br /> This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty<br /> data after degenerating to read-only") when using the syzbot reproducer,<br /> but the issue has potentially existed before.<br /> <br /> Fix this issue by adding a "purging flag" to the nilfs structure, setting<br /> that flag while disposing the "garbage_list" and checking it in<br /> __nilfs_mark_inode_dirty().<br /> <br /> Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root<br /> in nilfs_evict_inode()"), this patch does not rely on ns_writer to<br /> determine whether to skip operations, so as not to break recovery on<br /> mount. The nilfs_salvage_orphan_logs routine dirties the buffer of<br /> salvaged data before attaching the log writer, so changing<br /> __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL<br /> will cause recovery write to fail. The purpose of using the cleanup-only<br /> flag is to allow for narrowing of such conditions.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2022-50352

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns: fix possible memory leak in hnae_ae_register()<br /> <br /> Inject fault while probing module, if device_register() fails,<br /> but the refcount of kobject is not decreased to 0, the name<br /> allocated in dev_set_name() is leaked. Fix this by calling<br /> put_device(), so that name can be freed in callback function<br /> kobject_cleanup().<br /> <br /> unreferenced object 0xffff00c01aba2100 (size 128):<br /> comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s)<br /> hex dump (first 32 bytes):<br /> 68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!......<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] slab_post_alloc_hook+0xa0/0x3e0<br /> [] __kmem_cache_alloc_node+0x164/0x2b0<br /> [] __kmalloc_node_track_caller+0x6c/0x390<br /> [] kvasprintf+0x8c/0x118<br /> [] kvasprintf_const+0x60/0xc8<br /> [] kobject_set_name_vargs+0x3c/0xc0<br /> [] dev_set_name+0x7c/0xa0<br /> [] hnae_ae_register+0xcc/0x190 [hnae]<br /> [] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]<br /> [] hns_dsaf_probe+0x548/0x748 [hns_dsaf]
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2023-53304

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_rbtree: fix overlap expiration walk<br /> <br /> The lazy gc on insert that should remove timed-out entries fails to release<br /> the other half of the interval, if any.<br /> <br /> Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0<br /> in nftables.git and kmemleak enabled kernel.<br /> <br /> Second bug is the use of rbe_prev vs. prev pointer.<br /> If rbe_prev() returns NULL after at least one iteration, rbe_prev points<br /> to element that is not an end interval, hence it should not be removed.<br /> <br /> Lastly, check the genmask of the end interval if this is active in the<br /> current generation.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2022-50344

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix null-ptr-deref in ext4_write_info<br /> <br /> I caught a null-ptr-deref bug as follows:<br /> ==================================================================<br /> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]<br /> CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339<br /> RIP: 0010:ext4_write_info+0x53/0x1b0<br /> [...]<br /> Call Trace:<br /> dquot_writeback_dquots+0x341/0x9a0<br /> ext4_sync_fs+0x19e/0x800<br /> __sync_filesystem+0x83/0x100<br /> sync_filesystem+0x89/0xf0<br /> generic_shutdown_super+0x79/0x3e0<br /> kill_block_super+0xa1/0x110<br /> deactivate_locked_super+0xac/0x130<br /> deactivate_super+0xb6/0xd0<br /> cleanup_mnt+0x289/0x400<br /> __cleanup_mnt+0x16/0x20<br /> task_work_run+0x11c/0x1c0<br /> exit_to_user_mode_prepare+0x203/0x210<br /> syscall_exit_to_user_mode+0x5b/0x3a0<br /> do_syscall_64+0x59/0x70<br /> entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> ==================================================================<br /> <br /> Above issue may happen as follows:<br /> -------------------------------------<br /> exit_to_user_mode_prepare<br /> task_work_run<br /> __cleanup_mnt<br /> cleanup_mnt<br /> deactivate_super<br /> deactivate_locked_super<br /> kill_block_super<br /> generic_shutdown_super<br /> shrink_dcache_for_umount<br /> dentry = sb-&gt;s_root<br /> sb-&gt;s_root = NULL s_op-&gt;sync_fs &gt; ext4_sync_fs<br /> dquot_writeback_dquots<br /> sb-&gt;dq_op-&gt;write_info &gt; ext4_write_info<br /> ext4_journal_start(d_inode(sb-&gt;s_root), EXT4_HT_QUOTA, 2)<br /> d_inode(sb-&gt;s_root)<br /> s_root-&gt;d_inode
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2022-50345

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Protect against send buffer overflow in NFSv3 READ<br /> <br /> Since before the git era, NFSD has conserved the number of pages<br /> held by each nfsd thread by combining the RPC receive and send<br /> buffers into a single array of pages. This works because there are<br /> no cases where an operation needs a large RPC Call message and a<br /> large RPC Reply at the same time.<br /> <br /> Once an RPC Call has been received, svc_process() updates<br /> svc_rqst::rq_res to describe the part of rq_pages that can be<br /> used for constructing the Reply. This means that the send buffer<br /> (rq_res) shrinks when the received RPC record containing the RPC<br /> Call is large.<br /> <br /> A client can force this shrinkage on TCP by sending a correctly-<br /> formed RPC Call header contained in an RPC record that is<br /> excessively large. The full maximum payload size cannot be<br /> constructed in that case.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2022-50346

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: init quota for &amp;#39;old.inode&amp;#39; in &amp;#39;ext4_rename&amp;#39;<br /> <br /> Syzbot found the following issue:<br /> ext4_parse_param: s_want_extra_isize=128<br /> ext4_inode_info_init: s_want_extra_isize=32<br /> ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828<br /> __ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128<br /> __ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128<br /> ext4_xattr_block_set: inode=ffff88823869a2c8<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980<br /> Modules linked in:<br /> RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980<br /> RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000<br /> RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178<br /> RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e<br /> R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000<br /> R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000<br /> FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? ext4_xattr_set_entry+0x3b7/0x2320<br /> ? ext4_xattr_block_set+0x0/0x2020<br /> ? ext4_xattr_set_entry+0x0/0x2320<br /> ? ext4_xattr_check_entries+0x77/0x310<br /> ? ext4_xattr_ibody_set+0x23b/0x340<br /> ext4_xattr_move_to_block+0x594/0x720<br /> ext4_expand_extra_isize_ea+0x59a/0x10f0<br /> __ext4_expand_extra_isize+0x278/0x3f0<br /> __ext4_mark_inode_dirty.cold+0x347/0x410<br /> ext4_rename+0xed3/0x174f<br /> vfs_rename+0x13a7/0x2510<br /> do_renameat2+0x55d/0x920<br /> __x64_sys_rename+0x7d/0xb0<br /> do_syscall_64+0x3b/0xa0<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> As &amp;#39;ext4_rename&amp;#39; will modify &amp;#39;old.inode&amp;#39; ctime and mark inode dirty,<br /> which may trigger expand &amp;#39;extra_isize&amp;#39; and allocate block. If inode<br /> didn&amp;#39;t init quota will lead to warning. To solve above issue, init<br /> &amp;#39;old.inode&amp;#39; firstly in &amp;#39;ext4_rename&amp;#39;.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025

CVE-2022-50347

Fecha de publicación:
16/09/2025
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and calling mmc_free_host() in the<br /> error path, besides, led_classdev_unregister() and pm_runtime_disable() also<br /> need be called.
Gravedad: Pendiente de análisis
Última modificación:
17/09/2025