Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-53301

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> reset: amlogic: t7: Fix null reset ops<br /> <br /> Fix missing reset ops causing kernel null pointer dereference.<br /> This SOC&amp;#39;s reset is currently not used yet.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53302

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: eip93 - fix hmac setkey algo selection<br /> <br /> eip93_hmac_setkey() allocates a temporary ahash transform for<br /> computing HMAC ipad/opad key material. The allocation uses the<br /> driver-specific cra_driver_name (e.g. "sha256-eip93") but passes<br /> CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms.<br /> <br /> Since the EIP93 hash algorithms are the only ones registered<br /> under those driver names and they are inherently async, the<br /> lookup is self-contradictory and always fails with -ENOENT.<br /> <br /> When called from the AEAD setkey path, this failure leaves the<br /> SA record partially initialized with zeroed digest fields. A<br /> subsequent crypto operation then dereferences a NULL pointer in<br /> the request context, resulting in a kernel panic:<br /> <br /> ```<br /> pc : eip93_aead_handle_result+0xc8c/0x1240 [crypto_hw_eip93]<br /> lr : eip93_aead_handle_result+0xbec/0x1240 [crypto_hw_eip93]<br /> sp : ffffffc082feb820<br /> x29: ffffffc082feb820 x28: ffffff8011043980 x27: 0000000000000000<br /> x26: 0000000000000000 x25: ffffffc078da0bc8 x24: 0000000091043980<br /> x23: ffffff8004d59e50 x22: ffffff8004d59410 x21: ffffff8004d593c0<br /> x20: ffffff8004d593c0 x19: ffffff8004d4f300 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000007fda7aa498<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000000 x10: fffffffff8127a80 x9 : 0000000000000000<br /> x8 : ffffff8004d4f380 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 0000000000000040 x4 : 0000000000000008 x3 : 0000000000000009<br /> x2 : 0000000000000008 x1 : 0000000028000003 x0 : ffffff8004d388c0<br /> Code: 910142b6 f94012e0 f9002aa0 f90006d3 (f9400740)<br /> ```<br /> <br /> The reported symbol eip93_aead_handle_result+0xc8c is a<br /> resolution artifact from static functions being merged under<br /> the nearest exported symbol. Decoding the faulting sequence:<br /> <br /> ```<br /> 910142b6 ADD X22, X21, #0x50<br /> f94012e0 LDR X0, [X23, #0x20]<br /> f9002aa0 STR X0, [X21, #0x50]<br /> f90006d3 STR X19, [X22, #0x8]<br /> f9400740 LDR X0, [X26, #0x8]<br /> ```<br /> <br /> The faulting LDR at [X26, #0x8] is loading ctx-&gt;flags<br /> (offset 8 in eip93_hash_ctx), where ctx has been resolved<br /> to NULL from a partially initialized or unreachable<br /> transform context following the failed setkey.<br /> <br /> Fix this by dropping the CRYPTO_ALG_ASYNC mask from the<br /> crypto_alloc_ahash() call. The code already handles async<br /> completion correctly via crypto_wait_req(), so there is no<br /> requirement to restrict the lookup to synchronous algorithms.<br /> <br /> Note that hashing a single 64-byte block through the hardware<br /> is likely slower than doing it in software due to the DMA<br /> round-trip overhead, but offloading it may still spare CPU<br /> cycles on the slower embedded cores where this IP is found.<br /> <br /> [Detailed investigation report of this bug]
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53303

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()<br /> <br /> In f2fs_sbi_show(), the extension_list, extension_count and<br /> hot_ext_count are read without holding sbi-&gt;sb_lock. If a concurrent<br /> sysfs store modifies the extension list via f2fs_update_extension_list(),<br /> the show path may read inconsistent count and array contents, potentially<br /> leading to out-of-bounds access or displaying stale data.<br /> <br /> Fix this by holding sb_lock around the entire extension list read<br /> and format operation.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53304

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sg: Resolve soft lockup issue when opening /dev/sgX<br /> <br /> The parameter def_reserved_size defines the default buffer size reserved<br /> for each Sg_fd and should be restricted to a range between 0 and 1,048,576<br /> (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the<br /> function sg_proc_write_dressz enforces this limit, it is possible to bypass<br /> it by directly modifying the module parameter as shown below, which then<br /> causes a soft lockup:<br /> <br /> echo -1 &gt; /sys/module/sg/parameters/def_reserved_size<br /> exec 4 /dev/sg0<br /> <br /> watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]<br /> Modules loaded:<br /> CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,<br /> PREEMPT disabled<br /> Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version<br /> 1.16.1-2.fc37 dated 04/01/2014<br /> ...<br /> Call Trace:<br /> <br /> sg_build_reserve+0x5c/0xa0<br /> sg_add_sfp+0x168/0x270<br /> sg_open+0x16e/0x340<br /> chrdev_open+0xbe/0x230<br /> do_dentry_open+0x175/0x480<br /> vfs_open+0x34/0xf0<br /> do_open+0x265/0x3d0<br /> path_openat+0x110/0x290<br /> do_filp_open+0xc3/0x170<br /> do_sys_openat2+0x71/0xe0<br /> __x64_sys_openat+0x6d/0xa0<br /> do_syscall_64+0x62/0x310<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The fix is to use module_param_cb to validate and reject invalid values<br /> assigned to def_reserved_size.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53305

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ps883x: Fix Oops at unbind<br /> <br /> When trying to unbind a device in order to bind to it vfio-platform as:<br /> <br /> echo bc0000.geniqup &gt; /sys/bus/platform/devices/bc0000.geniqup/driver/unbind<br /> <br /> I get the following Oops:<br /> <br /> [ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020<br /> [ 436.487762] Mem abort info:<br /> [ 436.490716] ESR = 0x0000000096000004<br /> [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 436.500071] SET = 0, FnV = 0<br /> [ 436.503250] EA = 0, S1PTW = 0<br /> [ 436.506505] FSC = 0x04: level 0 translation fault<br /> [ 436.511533] Data abort info:<br /> [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000<br /> [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000<br /> [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP<br /> [ 436.550374] Modules linked in:<br /> [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT<br /> [ 436.564440] Tainted: [W]=WARN<br /> [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025<br /> [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94<br /> [ 436.586605] lr : i2c_device_remove+0x28/0x84<br /> [ 436.591017] sp : ffff8000847137c0<br /> <br /> That&amp;#39;s because the ps883x_retimer_remove() retrieves the driver data<br /> from i2c_get_clientdata() which was never set at probe. So, add<br /> i2c_set_clientdata() at the end of the probe.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53306

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: hvc_iucv: fix off-by-one in number of supported devices<br /> <br /> MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.<br /> This is the number of entries in:<br /> static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];<br /> <br /> Sometimes hvc_iucv_table[] is limited by:<br /> (a) if (num &gt; hvc_iucv_devices) // for error detection<br /> or<br /> (b) for (i = 0; i MAX_HVC_IUCV_LINES)<br /> <br /> If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].<br /> Oops.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53292

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind<br /> <br /> syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via<br /> pn_socket_autobind():<br /> <br /> kernel BUG at net/phonet/socket.c:213!<br /> RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]<br /> RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421<br /> Call Trace:<br /> sock_sendmsg_nosec+0x112/0x150 net/socket.c:797<br /> __sock_sendmsg net/socket.c:812 [inline]<br /> __sys_sendto+0x402/0x590 net/socket.c:2280<br /> ...<br /> <br /> pn_socket_autobind() calls pn_socket_bind() with port 0 and, on<br /> -EINVAL, assumes the socket was already bound and asserts that the<br /> port is non-zero:<br /> <br /> err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));<br /> if (err != -EINVAL)<br /> return err;<br /> BUG_ON(!pn_port(pn_sk(sock-&gt;sk)-&gt;sobject));<br /> return 0; /* socket was already bound */<br /> <br /> However pn_socket_bind() also returns -EINVAL when sk-&gt;sk_state is not<br /> TCP_CLOSE, even when the socket has never been bound and pn_port() is<br /> still 0. In that case the BUG_ON() fires and panics the kernel from a<br /> user-triggerable path.<br /> <br /> Treat the "bind returned -EINVAL but pn_port() is still 0" case as a<br /> regular error and propagate -EINVAL to the caller instead of crashing.<br /> Existing callers already translate a non-zero return from<br /> pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here<br /> only changes behaviour from panic to a normal errno.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53293

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG<br /> <br /> There were multiple issues in that code.<br /> <br /> First of all the order between the reset semaphore and the mm_lock was<br /> wrong (e.g. copy_to_user) was called while holding the lock.<br /> <br /> Then we allocated memory while holding the reset semaphore which is also<br /> a pretty big bug and can deadlock.<br /> <br /> Then we used down_read_trylock() instead of waiting for the reset to<br /> finish.<br /> <br /> (cherry picked from commit 361b6e6b303d4b691f6c5974d3eaab67ca6dd90e)
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53294

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mailbox-test: don&amp;#39;t free the reused channel<br /> <br /> The RX channel can be aliased to the TX channel if it has a different<br /> MMIO. This special case needs to be handled when freeing the channels<br /> otherwise a double-free occurs.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53295

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: add sanity check for channel array<br /> <br /> Fail gracefully if there is no channel array attached to the mailbox<br /> controller. Otherwise the later dereference will cause an OOPS which<br /> might not be seen because mailbox controllers might instantiate very<br /> early. Remove the comment explaining the obvious while here.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53296

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mailbox-test: free channels on probe error<br /> <br /> On probe error, free the previously obtained channels. This not only<br /> prevents a leak, but also UAF scenarios because the client structure<br /> will be removed nonetheless because it was allocated with devm.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53297

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mana: Guard mana_remove against double invocation<br /> <br /> If PM resume fails (e.g., mana_attach() returns an error), mana_probe()<br /> calls mana_remove(), which tears down the device and sets<br /> gd-&gt;gdma_context = NULL and gd-&gt;driver_data = NULL.<br /> <br /> However, a failed resume callback does not automatically unbind the<br /> driver. When the device is eventually unbound, mana_remove() is invoked<br /> a second time. Without a NULL check, it dereferences gc-&gt;dev with<br /> gc == NULL, causing a kernel panic.<br /> <br /> Add an early return if gdma_context or driver_data is NULL so the second<br /> invocation is harmless. Move the dev = gc-&gt;dev assignment after the<br /> guard so it cannot dereference NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026