Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45941

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure<br /> <br /> get_burstcount() can return -EBUSY on timeout. When this happens, the<br /> function returns directly without releasing the locality that was<br /> acquired at the beginning of tpm_tis_i2c_send().<br /> <br /> Use goto out_err to ensure proper cleanup when get_burstcount() fails.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45940

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: fix oops when split header is enabled<br /> <br /> For GMAC4, when split header is enabled, in some rare cases, the<br /> hardware does not fill buf2 of the first descriptor with payload.<br /> Thus we cannot assume buf2 is always fully filled if it is not<br /> the last descriptor. Otherwise, the length of buf2 of the second<br /> descriptor will be calculated wrong and cause an oops:<br /> <br /> Unable to handle kernel paging request at virtual address ffff00019246bfc0<br /> ...<br /> x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000<br /> Call trace:<br /> dcache_inval_poc+0x28/0x58 (P)<br /> dma_direct_sync_single_for_cpu+0x38/0x6c<br /> __dma_sync_single_for_cpu+0x34/0x6c<br /> stmmac_napi_poll_rx+0x8f0/0xb60<br /> __napi_poll.constprop.0+0x30/0x144<br /> net_rx_action+0x160/0x274<br /> handle_softirqs+0x1b8/0x1fc<br /> ...<br /> <br /> To fix this, the PL bit-field in RDES3 register is used for all<br /> descriptors, whether it is the last descriptor or not.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45939

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpib: Fix memory leak in ni_usb_init()<br /> <br /> In ni_usb_init(), if ni_usb_setup_init() fails, the function returns<br /> -EFAULT without freeing the allocated writes buffer, leading to a<br /> memory leak.<br /> <br /> Additionally, ni_usb_setup_init() returns 0 on failure, which causes<br /> ni_usb_init() to return -EFAULT, an inappropriate error code for this<br /> situation.<br /> <br /> Fix the leak by freeing writes in the error path. Modify<br /> ni_usb_setup_init() to return -EINVAL on failure and propagate this<br /> error code in ni_usb_init().
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45931

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()<br /> <br /> Some tests trigger a crash in iommu_sva_unbind_device() due to<br /> accessing iommu_mm after the associated mm structure has been<br /> freed.<br /> <br /> Fix this by taking an explicit reference to the mm structure<br /> after successfully binding the device, and releasing it only<br /> after the device is unbound. This ensures the mm remains valid<br /> for the entire SVA bind/unbind lifetime.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45938

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed()<br /> <br /> Using the `devm_` variant for requesting IRQ _before_ the `devm_`<br /> variant for allocating/registering the `power_supply` handle, means that<br /> the `power_supply` handle will be deallocated/unregistered _before_ the<br /> interrupt handler (since `devm_` naturally deallocates in reverse<br /> allocation order). This means that during removal, there is a race<br /> condition where an interrupt can fire just _after_ the `power_supply`<br /> handle has been freed, *but* just _before_ the corresponding<br /> unregistration of the IRQ handler has run.<br /> <br /> This will lead to the IRQ handler calling `power_supply_changed()` with<br /> a freed `power_supply` handle. Which usually crashes the system or<br /> otherwise silently corrupts the memory...<br /> <br /> Note that there is a similar situation which can also happen during<br /> `probe()`; the possibility of an interrupt firing _before_ registering<br /> the `power_supply` handle. This would then lead to the nasty situation<br /> of using the `power_supply` handle *uninitialized* in<br /> `power_supply_changed()`.<br /> <br /> Fix this racy use-after-free by making sure the IRQ is requested _after_<br /> the registration of the `power_supply` handle.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45937

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: inside-secure/eip93 - fix kernel panic in driver detach<br /> <br /> During driver detach, the same hash algorithm is unregistered multiple<br /> times due to a wrong iterator.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45936

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: goldfish: Fix use-after-free in power_supply_changed()<br /> <br /> Using the `devm_` variant for requesting IRQ _before_ the `devm_`<br /> variant for allocating/registering the `power_supply` handle, means that<br /> the `power_supply` handle will be deallocated/unregistered _before_ the<br /> interrupt handler (since `devm_` naturally deallocates in reverse<br /> allocation order). This means that during removal, there is a race<br /> condition where an interrupt can fire just _after_ the `power_supply`<br /> handle has been freed, *but* just _before_ the corresponding<br /> unregistration of the IRQ handler has run.<br /> <br /> This will lead to the IRQ handler calling `power_supply_changed()` with<br /> a freed `power_supply` handle. Which usually crashes the system or<br /> otherwise silently corrupts the memory...<br /> <br /> Note that there is a similar situation which can also happen during<br /> `probe()`; the possibility of an interrupt firing _before_ registering<br /> the `power_supply` handle. This would then lead to the nasty situation<br /> of using the `power_supply` handle *uninitialized* in<br /> `power_supply_changed()`.<br /> <br /> Fix this racy use-after-free by making sure the IRQ is requested _after_<br /> the registration of the `power_supply` handle.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45935

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot<br /> <br /> In the &amp;#39;DeleteIndexEntryRoot&amp;#39; case of the &amp;#39;do_action&amp;#39; function, the<br /> entry size (&amp;#39;esize&amp;#39;) is retrieved from the log record without adequate<br /> bounds checking.<br /> <br /> Specifically, the code calculates the end of the entry (&amp;#39;e2&amp;#39;) using:<br /> e2 = Add2Ptr(e1, esize);<br /> <br /> It then calculates the size for memmove using &amp;#39;PtrOffset(e2, ...)&amp;#39;,<br /> which subtracts the end pointer from the buffer limit. If &amp;#39;esize&amp;#39; is<br /> maliciously large, &amp;#39;e2&amp;#39; exceeds the used buffer size. This results in<br /> a negative offset which, when cast to size_t for memmove, interprets<br /> as a massive unsigned integer, leading to a heap buffer overflow.<br /> <br /> This commit adds a check to ensure that the entry size (&amp;#39;esize&amp;#39;) strictly<br /> fits within the remaining used space of the index header before performing<br /> memory operations.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45934

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation<br /> <br /> I have been observing a number of systems aborting at<br /> insert_dev_extents() in btrfs_create_pending_block_groups(). The<br /> following is a sample stack trace of such an abort coming from forced<br /> chunk allocation (typically behind CONFIG_BTRFS_EXPERIMENTAL) but this<br /> can theoretically happen to any DUP chunk allocation.<br /> <br /> [81.801] ------------[ cut here ]------------<br /> [81.801] BTRFS: Transaction aborted (error -17)<br /> [81.801] WARNING: fs/btrfs/block-group.c:2876 at btrfs_create_pending_block_groups+0x721/0x770 [btrfs], CPU#1: bash/319<br /> [81.802] Modules linked in: virtio_net btrfs xor zstd_compress raid6_pq null_blk<br /> [81.803] CPU: 1 UID: 0 PID: 319 Comm: bash Kdump: loaded Not tainted 6.19.0-rc6+ #319 NONE<br /> [81.803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014<br /> [81.804] RIP: 0010:btrfs_create_pending_block_groups+0x723/0x770 [btrfs]<br /> [81.806] RSP: 0018:ffffa36241a6bce8 EFLAGS: 00010282<br /> [81.806] RAX: 000000000000000d RBX: ffff8e699921e400 RCX: 0000000000000000<br /> [81.807] RDX: 0000000002040001 RSI: 00000000ffffffef RDI: ffffffffc0608bf0<br /> [81.807] RBP: 00000000ffffffef R08: ffff8e69830f6000 R09: 0000000000000007<br /> [81.808] R10: ffff8e699921e5e8 R11: 0000000000000000 R12: ffff8e6999228000<br /> [81.808] R13: ffff8e6984d82000 R14: ffff8e69966a69c0 R15: ffff8e69aa47b000<br /> [81.809] FS: 00007fec6bdd9740(0000) GS:ffff8e6b1b379000(0000) knlGS:0000000000000000<br /> [81.809] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [81.810] CR2: 00005604833670f0 CR3: 0000000116679000 CR4: 00000000000006f0<br /> [81.810] Call Trace:<br /> [81.810] <br /> [81.810] __btrfs_end_transaction+0x3e/0x2b0 [btrfs]<br /> [81.811] btrfs_force_chunk_alloc_store+0xcd/0x140 [btrfs]<br /> [81.811] kernfs_fop_write_iter+0x15f/0x240<br /> [81.812] vfs_write+0x264/0x500<br /> [81.812] ksys_write+0x6c/0xe0<br /> [81.812] do_syscall_64+0x66/0x770<br /> [81.812] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [81.813] RIP: 0033:0x7fec6be66197<br /> [81.814] RSP: 002b:00007fffb159dd30 EFLAGS: 00000202 ORIG_RAX: 0000000000000001<br /> [81.815] RAX: ffffffffffffffda RBX: 00007fec6bdd9740 RCX: 00007fec6be66197<br /> [81.815] RDX: 0000000000000002 RSI: 0000560483374f80 RDI: 0000000000000001<br /> [81.816] RBP: 0000560483374f80 R08: 0000000000000000 R09: 0000000000000000<br /> [81.816] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002<br /> [81.817] R13: 00007fec6bfb85c0 R14: 00007fec6bfb5ee0 R15: 00005604833729c0<br /> [81.817] <br /> [81.817] irq event stamp: 20039<br /> [81.818] hardirqs last enabled at (20047): [] __up_console_sem+0x52/0x60<br /> [81.818] hardirqs last disabled at (20056): [] __up_console_sem+0x37/0x60<br /> [81.819] softirqs last enabled at (19470): [] __irq_exit_rcu+0x96/0xc0<br /> [81.819] softirqs last disabled at (19463): [] __irq_exit_rcu+0x96/0xc0<br /> [81.820] ---[ end trace 0000000000000000 ]---<br /> [81.820] BTRFS: error (device dm-7 state A) in btrfs_create_pending_block_groups:2876: errno=-17 Object already exists<br /> <br /> Inspecting these aborts with drgn, I observed a pattern of overlapping<br /> chunk_maps. Note how stripe 1 of the first chunk overlaps in physical<br /> address with stripe 0 of the second chunk.<br /> <br /> Physical Start Physical End Length Logical Type Stripe<br /> ----------------------------------------------------------------------------------------------------<br /> 0x0000000102500000 0x0000000142500000 1.0G 0x0000000641d00000 META|DUP 0/2<br /> 0x0000000142500000 0x0000000182500000 1.0G 0x0000000641d00000 META|DUP 1/2<br /> 0x0000000142500000 0x0000000182500000 1.0G 0x0000000601d00000 META|DUP 0/2<br /> 0x0000000182500000 0x00000001c2500000 1.0G 0x0000000601d00000 META|DUP 1/2<br /> <br /> Now how could this possibly happen? All chunk allocation is<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45933

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Preserve id of register in sync_linked_regs()<br /> <br /> sync_linked_regs() copies the id of known_reg to reg when propagating<br /> bounds of known_reg to reg using the off of known_reg, but when<br /> known_reg was linked to reg like:<br /> <br /> known_reg = reg ; both known_reg and reg get same id<br /> known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST<br /> <br /> now when a call to sync_linked_regs() happens, let&amp;#39;s say with the following:<br /> <br /> if known_reg &gt;= 10 goto pc+2<br /> <br /> known_reg&amp;#39;s new bounds are propagated to reg but now reg gets<br /> BPF_ADD_CONST from the copy.<br /> <br /> This means if another link to reg is created like:<br /> <br /> another_reg = reg ; another_reg should get the id of reg but<br /> assign_scalar_id_before_mov() sees<br /> BPF_ADD_CONST on reg and assigns a new id to it.<br /> <br /> As reg has a new id now, known_reg&amp;#39;s link to reg is broken. If we find<br /> new bounds for known_reg, they will not be propagated to reg.<br /> <br /> This can be seen in the selftest added in the next commit:<br /> <br /> 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar()<br /> 1: (57) r0 &amp;= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff))<br /> 4: (a5) if r1
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45932

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix tcx/netkit detach permissions when prog fd isn&amp;#39;t given<br /> <br /> This commit fixes a security issue where BPF_PROG_DETACH on tcx or<br /> netkit devices could be executed by any user when no program fd was<br /> provided, bypassing permission checks. The fix adds a capability<br /> check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45925

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/of: Fix reference leak in thermal_of_cm_lookup()<br /> <br /> In thermal_of_cm_lookup(), tr_np is obtained via of_parse_phandle(), but<br /> never released.<br /> <br /> Use the __free(device_node) cleanup attribute to automatically release<br /> the node and fix the leak.<br /> <br /> [ rjw: Changelog edits ]
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026