Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45934

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation<br /> <br /> I have been observing a number of systems aborting at<br /> insert_dev_extents() in btrfs_create_pending_block_groups(). The<br /> following is a sample stack trace of such an abort coming from forced<br /> chunk allocation (typically behind CONFIG_BTRFS_EXPERIMENTAL) but this<br /> can theoretically happen to any DUP chunk allocation.<br /> <br /> [81.801] ------------[ cut here ]------------<br /> [81.801] BTRFS: Transaction aborted (error -17)<br /> [81.801] WARNING: fs/btrfs/block-group.c:2876 at btrfs_create_pending_block_groups+0x721/0x770 [btrfs], CPU#1: bash/319<br /> [81.802] Modules linked in: virtio_net btrfs xor zstd_compress raid6_pq null_blk<br /> [81.803] CPU: 1 UID: 0 PID: 319 Comm: bash Kdump: loaded Not tainted 6.19.0-rc6+ #319 NONE<br /> [81.803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014<br /> [81.804] RIP: 0010:btrfs_create_pending_block_groups+0x723/0x770 [btrfs]<br /> [81.806] RSP: 0018:ffffa36241a6bce8 EFLAGS: 00010282<br /> [81.806] RAX: 000000000000000d RBX: ffff8e699921e400 RCX: 0000000000000000<br /> [81.807] RDX: 0000000002040001 RSI: 00000000ffffffef RDI: ffffffffc0608bf0<br /> [81.807] RBP: 00000000ffffffef R08: ffff8e69830f6000 R09: 0000000000000007<br /> [81.808] R10: ffff8e699921e5e8 R11: 0000000000000000 R12: ffff8e6999228000<br /> [81.808] R13: ffff8e6984d82000 R14: ffff8e69966a69c0 R15: ffff8e69aa47b000<br /> [81.809] FS: 00007fec6bdd9740(0000) GS:ffff8e6b1b379000(0000) knlGS:0000000000000000<br /> [81.809] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [81.810] CR2: 00005604833670f0 CR3: 0000000116679000 CR4: 00000000000006f0<br /> [81.810] Call Trace:<br /> [81.810] <br /> [81.810] __btrfs_end_transaction+0x3e/0x2b0 [btrfs]<br /> [81.811] btrfs_force_chunk_alloc_store+0xcd/0x140 [btrfs]<br /> [81.811] kernfs_fop_write_iter+0x15f/0x240<br /> [81.812] vfs_write+0x264/0x500<br /> [81.812] ksys_write+0x6c/0xe0<br /> [81.812] do_syscall_64+0x66/0x770<br /> [81.812] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [81.813] RIP: 0033:0x7fec6be66197<br /> [81.814] RSP: 002b:00007fffb159dd30 EFLAGS: 00000202 ORIG_RAX: 0000000000000001<br /> [81.815] RAX: ffffffffffffffda RBX: 00007fec6bdd9740 RCX: 00007fec6be66197<br /> [81.815] RDX: 0000000000000002 RSI: 0000560483374f80 RDI: 0000000000000001<br /> [81.816] RBP: 0000560483374f80 R08: 0000000000000000 R09: 0000000000000000<br /> [81.816] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002<br /> [81.817] R13: 00007fec6bfb85c0 R14: 00007fec6bfb5ee0 R15: 00005604833729c0<br /> [81.817] <br /> [81.817] irq event stamp: 20039<br /> [81.818] hardirqs last enabled at (20047): [] __up_console_sem+0x52/0x60<br /> [81.818] hardirqs last disabled at (20056): [] __up_console_sem+0x37/0x60<br /> [81.819] softirqs last enabled at (19470): [] __irq_exit_rcu+0x96/0xc0<br /> [81.819] softirqs last disabled at (19463): [] __irq_exit_rcu+0x96/0xc0<br /> [81.820] ---[ end trace 0000000000000000 ]---<br /> [81.820] BTRFS: error (device dm-7 state A) in btrfs_create_pending_block_groups:2876: errno=-17 Object already exists<br /> <br /> Inspecting these aborts with drgn, I observed a pattern of overlapping<br /> chunk_maps. Note how stripe 1 of the first chunk overlaps in physical<br /> address with stripe 0 of the second chunk.<br /> <br /> Physical Start Physical End Length Logical Type Stripe<br /> ----------------------------------------------------------------------------------------------------<br /> 0x0000000102500000 0x0000000142500000 1.0G 0x0000000641d00000 META|DUP 0/2<br /> 0x0000000142500000 0x0000000182500000 1.0G 0x0000000641d00000 META|DUP 1/2<br /> 0x0000000142500000 0x0000000182500000 1.0G 0x0000000601d00000 META|DUP 0/2<br /> 0x0000000182500000 0x00000001c2500000 1.0G 0x0000000601d00000 META|DUP 1/2<br /> <br /> Now how could this possibly happen? All chunk allocation is<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45933

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Preserve id of register in sync_linked_regs()<br /> <br /> sync_linked_regs() copies the id of known_reg to reg when propagating<br /> bounds of known_reg to reg using the off of known_reg, but when<br /> known_reg was linked to reg like:<br /> <br /> known_reg = reg ; both known_reg and reg get same id<br /> known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST<br /> <br /> now when a call to sync_linked_regs() happens, let&amp;#39;s say with the following:<br /> <br /> if known_reg &gt;= 10 goto pc+2<br /> <br /> known_reg&amp;#39;s new bounds are propagated to reg but now reg gets<br /> BPF_ADD_CONST from the copy.<br /> <br /> This means if another link to reg is created like:<br /> <br /> another_reg = reg ; another_reg should get the id of reg but<br /> assign_scalar_id_before_mov() sees<br /> BPF_ADD_CONST on reg and assigns a new id to it.<br /> <br /> As reg has a new id now, known_reg&amp;#39;s link to reg is broken. If we find<br /> new bounds for known_reg, they will not be propagated to reg.<br /> <br /> This can be seen in the selftest added in the next commit:<br /> <br /> 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar()<br /> 1: (57) r0 &amp;= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))<br /> 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff))<br /> 4: (a5) if r1
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45932

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix tcx/netkit detach permissions when prog fd isn&amp;#39;t given<br /> <br /> This commit fixes a security issue where BPF_PROG_DETACH on tcx or<br /> netkit devices could be executed by any user when no program fd was<br /> provided, bypassing permission checks. The fix adds a capability<br /> check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45925

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/of: Fix reference leak in thermal_of_cm_lookup()<br /> <br /> In thermal_of_cm_lookup(), tr_np is obtained via of_parse_phandle(), but<br /> never released.<br /> <br /> Use the __free(device_node) cleanup attribute to automatically release<br /> the node and fix the leak.<br /> <br /> [ rjw: Changelog edits ]
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45926

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust: pwm: Fix potential memory leak on init error<br /> <br /> When initializing a PWM chip using pwmchip_alloc(), the allocated device<br /> owns an initial reference that must be released on all error paths.<br /> <br /> If __pinned_init() were to fail, the allocated pwm_chip would currently<br /> leak because the error path returns without calling pwmchip_put().
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45927

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Require frozen map for calculating map hash<br /> <br /> Currently, bpf_map_get_info_by_fd calculates and caches the hash of the<br /> map regardless of the map&amp;#39;s frozen state.<br /> <br /> This leads to a TOCTOU bug where userspace can call<br /> BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map<br /> contents before freezing.<br /> <br /> Therefore, a trusted loader can be tricked into verifying the stale hash<br /> while loading the modified contents.<br /> <br /> Fix this by returning -EPERM if the map is not frozen when the hash is<br /> requested. This ensures the hash is only generated for the final,<br /> immutable state of the map.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45928

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: chips-media: wave5: Fix memory leak on codec_info allocation failure<br /> <br /> In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is<br /> allocated via kzalloc(). If the subsequent allocation for inst-&gt;codec_info<br /> fails, the functions return -ENOMEM without freeing the previously<br /> allocated instance, causing a memory leak.<br /> <br /> Fix this by calling kfree() on the instance in this error path to ensure<br /> it is properly released.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45929

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovpn: fix possible use-after-free in ovpn_net_xmit<br /> <br /> When building the skb_list in ovpn_net_xmit, skb_share_check will free<br /> the original skb if it is shared. The current implementation continues<br /> to use the stale skb pointer for subsequent operations:<br /> - peer lookup,<br /> - skb_dst_drop (even though all segments produced by skb_gso_segment<br /> will have a dst attached),<br /> - ovpn_peer_stats_increment_tx.<br /> <br /> Fix this by moving the peer lookup and skb_dst_drop before segmentation<br /> so that the original skb is still valid when used. Return early if all<br /> segments fail skb_share_check and the list ends up empty.<br /> Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next<br /> patch fixes the stats logic.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45930

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mctp: ensure our nlmsg responses are initialised<br /> <br /> Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from<br /> DEVCORE Research Team working with Trend Micro Zero Day Initiative<br /> report that a RTM_GETNEIGH will return uninitalised data in the pad<br /> bytes of the ndmsg data.<br /> <br /> Ensure we&amp;#39;re initialising the netlink data to zero, in the link, addr<br /> and neigh response messages.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-45924

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths<br /> <br /> There are two places where ksmbd_vfs_kern_path_end_removing() needs to be<br /> called in order to balance what the corresponding successful call to<br /> ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and<br /> put the taken references. Otherwise there might be potential deadlocks<br /> and unbalanced locks which are caught like:<br /> <br /> BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596<br /> last function: handle_ksmbd_work<br /> 2 locks held by kworker/5:21/7596:<br /> #0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660<br /> #1: ffff888130e966c0 (&amp;type-&gt;i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660<br /> CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014<br /> Workqueue: ksmbd-io handle_ksmbd_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x44/0x5b<br /> process_one_work.cold+0x57/0x5c<br /> worker_thread+0x82/0x600<br /> kthread+0x153/0x190<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Found by Linux Verification Center (linuxtesting.org).
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45923

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: catc: enable basic endpoint checking<br /> <br /> catc_probe() fills three URBs with hardcoded endpoint pipes without<br /> verifying the endpoint descriptors:<br /> <br /> - usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX<br /> - usb_rcvintpipe(usbdev, 2) for interrupt status<br /> <br /> A malformed USB device can present these endpoints with transfer types<br /> that differ from what the driver assumes.<br /> <br /> Add a catc_usb_ep enum for endpoint numbers, replacing magic constants<br /> throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints()<br /> calls after usb_set_interface() to verify endpoint types before use,<br /> rejecting devices with mismatched descriptors at probe time.<br /> <br /> Similar to<br /> - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")<br /> which fixed the issue in rtl8150.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-45922

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler<br /> <br /> The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function<br /> allocates memory for the device path using kobject_get_path(). If the<br /> length of the device path exceeds the output buffer length, the function<br /> returns -ENOSPC but does not free the allocated memory, resulting in a<br /> memory leak.<br /> <br /> Add a kfree() call to the error path to ensure the allocated memory is<br /> properly freed.<br /> <br /> Compile tested only. Issue found using a prototype static analysis tool<br /> and code review.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026