Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-46225

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: rspi: fix controller deregistration<br /> <br /> Make sure to deregister the controller before releasing underlying<br /> resources like DMA during driver unbind.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46226

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fsl: fix controller deregistration<br /> <br /> Make sure to deregister the controller before releasing underlying<br /> resources like DMA during driver unbind.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46233

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: bla: only purge non-released claims<br /> <br /> When batadv_bla_purge_claims() goes through the list of claims, it is only<br /> traversing the hash list with an rcu_read_lock(). Due to a potential<br /> parallel batadv_claim_put(), it can happen that it encounters a claim which<br /> was actually in the process of being released+freed by<br /> batadv_claim_release(). In this case, backbone_gw is set to NULL before the<br /> delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is<br /> then no longer allowed because it would cause a NULL-ptr derefence.<br /> <br /> To avoid this, only claims with a valid reference counter must be purged.<br /> All others are already taken care of.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46232

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: playstation: Clamp num_touch_reports<br /> <br /> A device would never lie about the number of touch reports would it?<br /> <br /> If it does the loop in dualshock4_parse_report will read off the end of<br /> the touch_reports array, up to about 2 KiB for the maximum number of 256<br /> loop iteraions. The data that is read is emitted via evdev if the<br /> DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by<br /> clamping the num_touch_reports value provided by the device to the<br /> maximum size of the touch_reports array.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46231

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: bla: put backbone reference on failed claim hash insert<br /> <br /> When batadv_bla_add_claim() fails to insert a new claim into the hash, it<br /> leaked a reference to the backbone_gw for which the claim was intended.<br /> Call batadv_backbone_gw_put() on the error path to release the reference<br /> and avoid leaking the backbone_gw object.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46230

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg<br /> <br /> Check bounds against the end of the BO whenever we access the msg.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46229

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure<br /> <br /> KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE<br /> but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated<br /> VRAM with stale data from prior use observable by compute kernels.<br /> <br /> The GEM ioctl path already sets VRAM_CLEARED for all userspace<br /> allocations via amdgpu_gem_create_ioctl() and<br /> amdgpu_mode_dumb_create(). The KFD path was missing this flag,<br /> allowing stale page table remnants to leak into user buffers.<br /> <br /> This causes crashes in RCCL P2P transport where non-zero data in<br /> ptrExchange/head/tail fields corrupts the protocol handshake.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46228

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: ch341: fix devres lifetime<br /> <br /> USB drivers bind to USB interfaces and any device managed resources<br /> should have their lifetime tied to the interface rather than parent USB<br /> device. This avoids issues like memory leaks when drivers are unbound<br /> without their devices being physically disconnected (e.g. on probe<br /> deferral or configuration changes).<br /> <br /> Fix the controller and driver data lifetime so that they are released<br /> on driver unbind.<br /> <br /> Note that this also makes sure that the SPI controller is placed<br /> correctly under the USB interface in the device tree.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46227

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL<br /> <br /> The SCTP_SENDALL path in sctp_sendmsg() iterates ep-&gt;asocs with<br /> list_for_each_entry_safe(), which caches the next entry in @tmp before<br /> the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may<br /> drop the socket lock inside sctp_wait_for_sndbuf().<br /> <br /> While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the<br /> association cached in @tmp, migrating it to a new endpoint via<br /> sctp_sock_migrate() (list_del_init() + list_add_tail() to<br /> newep-&gt;asocs), and optionally close the new socket which frees the<br /> association via kfree_rcu(). The cached @tmp can also be freed by a<br /> network ABORT for that association, processed in softirq while the<br /> lock is dropped.<br /> <br /> sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock<br /> via the "sk != asoc-&gt;base.sk" and "asoc-&gt;base.dead" checks, but nothing<br /> revalidates @tmp. After a successful return, the iterator advances to<br /> the stale @tmp, yielding either a use-after-free (if the peeled socket<br /> was closed) or a list-walk onto the new endpoint&amp;#39;s list head (type<br /> confusion of &amp;newep-&gt;asocs as a struct sctp_association *).<br /> <br /> Both are reachable from CapEff=0; the type-confusion path gives<br /> controlled indirect call via the outqueue.sched-&gt;init_sid pointer.<br /> <br /> Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()<br /> returns. @asoc is known to still be on ep-&gt;asocs at that point: the<br /> only callers that list_del an association from ep-&gt;asocs are<br /> sctp_association_free() (which sets asoc-&gt;base.dead) and<br /> sctp_assoc_migrate() (which changes asoc-&gt;base.sk), and<br /> sctp_wait_for_sndbuf() checks both under the lock before any<br /> successful return; a tripped check propagates as err
Gravedad CVSS v3.1: ALTA
Última modificación:
02/07/2026

CVE-2026-46219

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: mpc52xx: fix use-after-free on unbind<br /> <br /> The state machine work is scheduled by the interrupt handler and<br /> therefore needs to be cancelled after disabling interrupts to avoid a<br /> potential use-after-free.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46220

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission<br /> <br /> sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr &amp; 0x3) assertions<br /> that verify fence writeback addresses are dword-aligned. These<br /> assertions can be reached from unprivileged userspace via crafted<br /> DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a<br /> scheduler worker thread.<br /> <br /> Replace both BUG_ON() calls with WARN_ON() to log the condition without<br /> crashing the kernel. A misaligned fence address at this point indicates<br /> a driver bug, but crashing the kernel is never the correct response when<br /> the assertion is reachable from userspace.<br /> <br /> The CS IOCTL path is the correct place to filter invalid submissions;<br /> the ring emission callback is too late to do anything about it.<br /> <br /> (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026

CVE-2026-46221

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> EDAC/versalnet: Fix device name memory leak<br /> <br /> The device name allocated via kzalloc() in init_one_mc() is assigned to<br /> dev-&gt;init_name but never freed on the normal removal path. device_register()<br /> copies init_name and then sets dev-&gt;init_name to NULL, so the name pointer<br /> becomes unreachable from the device. Thus leaking memory.<br /> <br /> Use a stack-local char array instead of using kzalloc() for name.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026