Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-53313

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths<br /> <br /> In dc_dmub_srv_log_diagnostic_data() and<br /> dc_dmub_srv_enable_dpia_trace().<br /> <br /> Both functions check:<br /> <br /> if (!dc_dmub_srv || !dc_dmub_srv-&gt;dmub)<br /> <br /> and then call DC_LOG_ERROR() inside that block.<br /> <br /> DC_LOG_ERROR() uses dc_dmub_srv-&gt;ctx internally. So if<br /> dc_dmub_srv is NULL, the logging itself can dereference a<br /> NULL pointer and cause a crash.<br /> <br /> Fix this by splitting the checks.<br /> <br /> First check if dc_dmub_srv is NULL and return immediately.<br /> Then check dc_dmub_srv-&gt;dmub and log the error only when<br /> dc_dmub_srv is valid.<br /> <br /> Fixes the below:<br /> ../display/dc/dc_dmub_srv.c:962 dc_dmub_srv_log_diagnostic_data() error: we previously assumed &amp;#39;dc_dmub_srv&amp;#39; could be null (see line 961)<br /> ../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_enable_dpia_trace() error: we previously assumed &amp;#39;dc_dmub_srv&amp;#39; could be null (see line 1166)
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53314

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: Put CPU offline callback in ONLINE section to allow failure<br /> <br /> syzbot reported the following warning:<br /> <br /> DEAD callback error for CPU1<br /> WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614<br /> <br /> at commit 4ae12d8bd9a8 ("Merge tag &amp;#39;kbuild-fixes-7.0-2&amp;#39; of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux")<br /> which tglx traced to padata_cpu_dead() given it&amp;#39;s the only<br /> sub-CPUHP_TEARDOWN_CPU callback that returns an error.<br /> <br /> Failure isn&amp;#39;t allowed in hotplug states before CPUHP_TEARDOWN_CPU<br /> so move the CPU offline callback to the ONLINE section where failure is<br /> possible.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53315

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()<br /> <br /> ras_core_get_utc_second_timestamp() retrieves the current UTC timestamp<br /> (in seconds since the Unix epoch) through a platform-specific RAS system<br /> callback and is used for timestamping RAS error events.<br /> <br /> The function checks ras_core in the conditional statement before calling<br /> the sys_fn callback. However, when the condition fails, the function<br /> prints an error message using ras_core-&gt;dev.<br /> <br /> If ras_core is NULL, this can lead to a potential NULL pointer<br /> dereference when accessing ras_core-&gt;dev.<br /> <br /> Add an early NULL check for ras_core at the beginning of the function<br /> and return 0 when the pointer is not valid. This prevents the<br /> dereference and makes the control flow clearer.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53316

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()<br /> <br /> Fixes a NULL pointer dereference when ras_core is NULL and ras_core-&gt;dev<br /> is accessed in the error path.<br /> <br /> Reported by: Dan Carpenter
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53298

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()<br /> <br /> If queue entry or DMA descriptor list allocation fails in<br /> airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a<br /> NULL pointer dereference running netif_napi_del() for RX queue NAPIs<br /> since netif_napi_add() has never been executed to this particular RX NAPI.<br /> The issue is due to the early ndesc initialization in<br /> airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc<br /> value to check if the queue is properly initialized. Fix the issue moving<br /> ndesc initialization at end of airoha_qdma_init_tx routine.<br /> Move page_pool allocation after descriptor list allocation in order to<br /> avoid memory leaks if desc allocation fails.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53299

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()<br /> <br /> If queue entry list allocation fails in airoha_qdma_init_tx_queue routine,<br /> airoha_qdma_cleanup_tx_queue() will trigger a NULL pointer dereference<br /> accessing the queue entry array. The issue is due to the early ndesc<br /> initialization in airoha_qdma_init_tx_queue(). Fix the issue moving ndesc<br /> initialization at end of airoha_qdma_init_tx routine.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53300

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: fix NTMP DMA use-after-free issue<br /> <br /> The AI-generated review reported a potential DMA use-after-free issue<br /> [1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending<br /> command is not explicitly aborted, while ntmp_free_data_mem()<br /> unconditionally frees the DMA buffer. If the buffer has already been<br /> reallocated elsewhere, this may lead to silent memory corruption. Because<br /> the hardware eventually processes the pending command and perform a DMA<br /> write of the response to the physical address of the freed buffer.<br /> <br /> To resolve this issue, this patch does the following modifications:<br /> <br /> 1. Convert cbdr-&gt;ring_lock from a spinlock to a mutex<br /> <br /> The lock was originally a spinlock in case NTMP operations might be<br /> invoked from atomic context. After downstream support for all NTMP<br /> tables, no such usage has materialized. A mutex lock is now required<br /> because the driver now needs to reclaim used BDs and release associated<br /> DMA memory within the lock&amp;#39;s context, while dma_free_coherent() might<br /> sleep.<br /> <br /> 2. Introduce software command BD (struct netc_swcbd)<br /> <br /> The hardware write-back overwrites the addr and len fields of the BD,<br /> so the driver cannot rely on the hardware BD to free the associated DMA<br /> memory. The driver now maintains a software shadow BD storing the DMA<br /> buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only<br /> reclaims older BDs when the number of used BDs reaches<br /> NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory<br /> release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no<br /> longer needed and are removed.<br /> <br /> 3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()<br /> <br /> netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes<br /> consuming the response. At this point, if a concurrent thread submits<br /> a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer<br /> while it is still in use. Move ring_lock ownership to the caller to<br /> ensure the response buffer cannot be reclaimed prematurely. So the<br /> helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.<br /> <br /> These changes eliminate the DMA use-after-free condition and ensure safe<br /> and consistent BD reclamation and DMA buffer lifecycle management.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-53301

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> reset: amlogic: t7: Fix null reset ops<br /> <br /> Fix missing reset ops causing kernel null pointer dereference.<br /> This SOC&amp;#39;s reset is currently not used yet.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53302

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: eip93 - fix hmac setkey algo selection<br /> <br /> eip93_hmac_setkey() allocates a temporary ahash transform for<br /> computing HMAC ipad/opad key material. The allocation uses the<br /> driver-specific cra_driver_name (e.g. "sha256-eip93") but passes<br /> CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms.<br /> <br /> Since the EIP93 hash algorithms are the only ones registered<br /> under those driver names and they are inherently async, the<br /> lookup is self-contradictory and always fails with -ENOENT.<br /> <br /> When called from the AEAD setkey path, this failure leaves the<br /> SA record partially initialized with zeroed digest fields. A<br /> subsequent crypto operation then dereferences a NULL pointer in<br /> the request context, resulting in a kernel panic:<br /> <br /> ```<br /> pc : eip93_aead_handle_result+0xc8c/0x1240 [crypto_hw_eip93]<br /> lr : eip93_aead_handle_result+0xbec/0x1240 [crypto_hw_eip93]<br /> sp : ffffffc082feb820<br /> x29: ffffffc082feb820 x28: ffffff8011043980 x27: 0000000000000000<br /> x26: 0000000000000000 x25: ffffffc078da0bc8 x24: 0000000091043980<br /> x23: ffffff8004d59e50 x22: ffffff8004d59410 x21: ffffff8004d593c0<br /> x20: ffffff8004d593c0 x19: ffffff8004d4f300 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000007fda7aa498<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000000 x10: fffffffff8127a80 x9 : 0000000000000000<br /> x8 : ffffff8004d4f380 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 0000000000000040 x4 : 0000000000000008 x3 : 0000000000000009<br /> x2 : 0000000000000008 x1 : 0000000028000003 x0 : ffffff8004d388c0<br /> Code: 910142b6 f94012e0 f9002aa0 f90006d3 (f9400740)<br /> ```<br /> <br /> The reported symbol eip93_aead_handle_result+0xc8c is a<br /> resolution artifact from static functions being merged under<br /> the nearest exported symbol. Decoding the faulting sequence:<br /> <br /> ```<br /> 910142b6 ADD X22, X21, #0x50<br /> f94012e0 LDR X0, [X23, #0x20]<br /> f9002aa0 STR X0, [X21, #0x50]<br /> f90006d3 STR X19, [X22, #0x8]<br /> f9400740 LDR X0, [X26, #0x8]<br /> ```<br /> <br /> The faulting LDR at [X26, #0x8] is loading ctx-&gt;flags<br /> (offset 8 in eip93_hash_ctx), where ctx has been resolved<br /> to NULL from a partially initialized or unreachable<br /> transform context following the failed setkey.<br /> <br /> Fix this by dropping the CRYPTO_ALG_ASYNC mask from the<br /> crypto_alloc_ahash() call. The code already handles async<br /> completion correctly via crypto_wait_req(), so there is no<br /> requirement to restrict the lookup to synchronous algorithms.<br /> <br /> Note that hashing a single 64-byte block through the hardware<br /> is likely slower than doing it in software due to the DMA<br /> round-trip overhead, but offloading it may still spare CPU<br /> cycles on the slower embedded cores where this IP is found.<br /> <br /> [Detailed investigation report of this bug]
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53303

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()<br /> <br /> In f2fs_sbi_show(), the extension_list, extension_count and<br /> hot_ext_count are read without holding sbi-&gt;sb_lock. If a concurrent<br /> sysfs store modifies the extension list via f2fs_update_extension_list(),<br /> the show path may read inconsistent count and array contents, potentially<br /> leading to out-of-bounds access or displaying stale data.<br /> <br /> Fix this by holding sb_lock around the entire extension list read<br /> and format operation.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53304

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sg: Resolve soft lockup issue when opening /dev/sgX<br /> <br /> The parameter def_reserved_size defines the default buffer size reserved<br /> for each Sg_fd and should be restricted to a range between 0 and 1,048,576<br /> (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the<br /> function sg_proc_write_dressz enforces this limit, it is possible to bypass<br /> it by directly modifying the module parameter as shown below, which then<br /> causes a soft lockup:<br /> <br /> echo -1 &gt; /sys/module/sg/parameters/def_reserved_size<br /> exec 4 /dev/sg0<br /> <br /> watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]<br /> Modules loaded:<br /> CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,<br /> PREEMPT disabled<br /> Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version<br /> 1.16.1-2.fc37 dated 04/01/2014<br /> ...<br /> Call Trace:<br /> <br /> sg_build_reserve+0x5c/0xa0<br /> sg_add_sfp+0x168/0x270<br /> sg_open+0x16e/0x340<br /> chrdev_open+0xbe/0x230<br /> do_dentry_open+0x175/0x480<br /> vfs_open+0x34/0xf0<br /> do_open+0x265/0x3d0<br /> path_openat+0x110/0x290<br /> do_filp_open+0xc3/0x170<br /> do_sys_openat2+0x71/0xe0<br /> __x64_sys_openat+0x6d/0xa0<br /> do_syscall_64+0x62/0x310<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The fix is to use module_param_cb to validate and reject invalid values<br /> assigned to def_reserved_size.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026

CVE-2026-53305

Fecha de publicación:
26/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ps883x: Fix Oops at unbind<br /> <br /> When trying to unbind a device in order to bind to it vfio-platform as:<br /> <br /> echo bc0000.geniqup &gt; /sys/bus/platform/devices/bc0000.geniqup/driver/unbind<br /> <br /> I get the following Oops:<br /> <br /> [ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020<br /> [ 436.487762] Mem abort info:<br /> [ 436.490716] ESR = 0x0000000096000004<br /> [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 436.500071] SET = 0, FnV = 0<br /> [ 436.503250] EA = 0, S1PTW = 0<br /> [ 436.506505] FSC = 0x04: level 0 translation fault<br /> [ 436.511533] Data abort info:<br /> [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000<br /> [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000<br /> [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP<br /> [ 436.550374] Modules linked in:<br /> [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT<br /> [ 436.564440] Tainted: [W]=WARN<br /> [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025<br /> [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94<br /> [ 436.586605] lr : i2c_device_remove+0x28/0x84<br /> [ 436.591017] sp : ffff8000847137c0<br /> <br /> That&amp;#39;s because the ps883x_retimer_remove() retrieves the driver data<br /> from i2c_get_clientdata() which was never set at probe. So, add<br /> i2c_set_clientdata() at the end of the probe.
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026