Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-46007

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (powerz) Avoid cacheline sharing for DMA buffer<br /> <br /> Depending on the architecture the transfer buffer may share a cacheline<br /> with the following mutex. As the buffer may be used for DMA, that is<br /> problematic.<br /> <br /> Use the high-level DMA helpers to make sure that cacheline sharing can<br /> not happen.<br /> <br /> Also drop the comment, as the helpers are documentation enough.<br /> <br /> https://sashiko.dev/#/message/20260408175814.934BFC19421%40smtp.kernel.org
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46004

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: caiaq: Handle probe errors properly<br /> <br /> The probe procedure of setup_card() in caiaq driver doesn&amp;#39;t treat the<br /> error cases gracefully, e.g. the error from snd_card_register() calls<br /> snd_card_free() but continues. This would lead to a UAF for the<br /> further calls like snd_usb_caiaq_control_init(), as Berk suggested in<br /> another patch in the link below.<br /> <br /> However, the problem is not only that; in general, this function drops<br /> the all error handlings (as it&amp;#39;s a void function) although its caller<br /> can propagate an error to snd_probe(), which eventually calls<br /> snd_card_free() as a proper error path. That said, we should treat<br /> each error case in setup_card(), and just return the error code<br /> promptly, which is then handled later as a fatal error in snd_probe().<br /> <br /> This patch achieves it by changing the setup_card() to return an error<br /> code. Also, the superfluous snd_card_free() call is removed, too.<br /> <br /> Note that card-&gt;private_free can be set still safely at returning an<br /> error. All called functions in card_free() have checks of the<br /> unassigned resources or NULL checks.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46003

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: qrtr: ns: Limit the total number of nodes<br /> <br /> Currently, the nameserver doesn&amp;#39;t limit the number of nodes it handles.<br /> This can be an attack vector if a malicious client starts registering<br /> random nodes, leading to memory exhaustion.<br /> <br /> Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is<br /> chosen based on the current platform requirements. If requirement changes<br /> in the future, this limit can be increased.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-46005

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: fix a resource leak in xfs_alloc_buftarg()<br /> <br /> In the error path, call fs_put_dax() to drop the DAX<br /> device reference.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-46006

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/nouveau: fix u32 overflow in pushbuf reloc bounds check<br /> <br /> nouveau_gem_pushbuf_reloc_apply() validates each relocation with<br /> <br /> if (r-&gt;reloc_bo_offset + 4 &gt; nvbo-&gt;bo.base.size)<br /> <br /> but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer<br /> literal 4 promotes to unsigned int, so the addition is performed in 32<br /> bits and wraps before the comparison against the size_t bo size.<br /> <br /> Cast to u64 so the addition happens in 64-bit arithmetic.<br /> <br /> [ Add Fixes: tag. - Danilo ]
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-46000

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix conn-level packet handling to unshare RESPONSE packets<br /> <br /> The security operations that verify the RESPONSE packets decrypt bits of it<br /> in place - however, the sk_buff may be shared with a packet sniffer, which<br /> would lead to the sniffer seeing an apparently corrupt packet (actually<br /> decrypted).<br /> <br /> Fix this by handing a copy of the packet off to the specific security<br /> handler if the packet was cloned.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-45997

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sd: fix missing put_disk() when device_add(&amp;disk_dev) fails<br /> <br /> If device_add(&amp;sdkp-&gt;disk_dev) fails, put_device() runs<br /> scsi_disk_release(), which frees the scsi_disk but leaves the gendisk<br /> referenced. The device_add_disk() error path in sd_probe() calls<br /> put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-45995

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/zcrx: fix user_struct uaf<br /> <br /> io_free_rbuf_ring() usees a struct user_struct, which<br /> io_zcrx_ifq_free() puts it down before destroying the ring.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46002

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()<br /> <br /> ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is<br /> zero or i_dtime is set, treating them as deleted. However, the case of<br /> i_nlink == 0 with a non-zero mode and zero dtime slips through. Since<br /> ext2 has no orphan list, such a combination can only result from<br /> filesystem corruption - a legitimate inode deletion always sets either<br /> i_dtime or clears i_mode before freeing the inode.<br /> <br /> A crafted image can exploit this gap to present such an inode to the<br /> VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via<br /> ext2_unlink(), ext2_rename() and ext2_rmdir():<br /> <br /> WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295<br /> vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477<br /> do_unlinkat+0x53e/0x730 fs/namei.c:4541<br /> __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_rename+0x35e/0x850 fs/ext2/namei.c:374<br /> vfs_rename+0xf2f/0x2060 fs/namei.c:5021<br /> do_renameat2+0xbe2/0xd50 fs/namei.c:5178<br /> __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311<br /> vfs_rmdir+0x204/0x690 fs/namei.c:4348<br /> do_rmdir+0x372/0x3e0 fs/namei.c:4407<br /> __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> Extend the existing i_nlink == 0 check to also catch this case,<br /> reporting the corruption via ext2_error() and returning -EFSCORRUPTED.<br /> This rejects the inode at load time and prevents it from reaching any<br /> of the namei.c paths.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46001

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()<br /> <br /> Fix two bugs in pt5161l_read_block_data():<br /> <br /> 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24],<br /> but i2c_smbus_read_block_data() can return up to<br /> I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into<br /> the caller&amp;#39;s buffer before the return value can be checked, so<br /> the post-read length validation does not prevent a stack overrun<br /> if a device returns more than 24 bytes. Resize the buffer to<br /> I2C_SMBUS_BLOCK_MAX.<br /> <br /> 2. Unexpected positive return on length mismatch: When all three<br /> retries are exhausted because the device returns data with an<br /> unexpected length, i2c_smbus_read_block_data() returns a positive<br /> byte count. The function returns this directly, and callers treat<br /> any non-negative return as success, processing stale or incomplete<br /> buffer contents. Return -EIO when retries are exhausted with a<br /> positive return value, preserving the negative error code on I2C<br /> failure.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-45996

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: imx: fix use-after-free on unbind<br /> <br /> The SPI subsystem frees the controller and any subsystem allocated<br /> driver data as part of deregistration (unless the allocation is device<br /> managed).<br /> <br /> Take another reference before deregistering the controller so that the<br /> driver data is not freed until the driver is done with it.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-45999

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()<br /> <br /> Some crafted images can have illegal (!partial_decoding &amp;&amp;<br /> m_llen
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026