Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-46174

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2&amp;#39;s op cache<br /> <br /> Make sure resources are not improperly shared in the op cache and<br /> cause instruction corruption this way.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46177

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipmi: Add limits to event and receive message requests<br /> <br /> The driver would just fetch events and receive messages until the<br /> BMC said it was done. To avoid issues with BMCs that never say they are<br /> done, add a limit of 10 fetches at a time.<br /> <br /> In addition, an si interface has an attn state it can return from the<br /> hardware which is supposed to cause a flag fetch to see if the driver<br /> needs to fetch events or message or a few other things. If the attn<br /> bit gets stuck, it&amp;#39;s a similar problem. So allow messages in between<br /> flag fetches so the driver itself doesn&amp;#39;t get stuck.<br /> <br /> This is a more general fix than the previous fix for the specific bad<br /> BMC, but should fix the more general issue of a BMC that won&amp;#39;t stop<br /> saying it has data.<br /> <br /> This has been there from the beginning of the driver. It&amp;#39;s not a bug<br /> per-se, but it is accounting for bugs in BMCs.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46175

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix fsck inconsistency caused by FGGC of node block<br /> <br /> During FGGC node block migration, fsck may incorrectly treat the<br /> migrated node block as fsync-written data.<br /> <br /> The reproduction scenario:<br /> root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync<br /> root@vm:/mnt/f2fs# rm -f 1<br /> root@vm:/mnt/f2fs# sync<br /> root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP<br /> SPO, "fsck --dry-run" find inode has already checkpointed but still<br /> with DENT_BIT_SHIFT set<br /> <br /> The root cause is that GC does not clear the dentry mark and fsync mark<br /> during node block migration, leading fsck to misinterpret them as<br /> user-issued fsync writes.<br /> <br /> In BGGC mode, node block migration is handled by f2fs_sync_node_pages(),<br /> which guarantees the dentry and fsync marks are cleared before writing.<br /> <br /> This patch move the set/clear of the fsync|dentry marks into<br /> __write_node_folio to make the logic clearer, and ensures the<br /> fsync|dentry mark is cleared in FGGC.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46178

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()<br /> <br /> Sashiko points out that mlx4_srq_alloc() was not undone during error<br /> unwind, add the missing call to mlx4_srq_free().
Gravedad CVSS v3.1: ALTA
Última modificación:
11/06/2026

CVE-2026-46179

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Don&amp;#39;t allow pointer operations on unconfigured streams<br /> <br /> When reporting the pointer for a compressed stream we report the current<br /> I/O frame position by dividing the position by the number of channels<br /> multiplied by the number of container bytes. These values default to 0 and<br /> are only configured as part of setting the stream parameters so this allows<br /> a divide by zero to be configured. Validate that they are non zero,<br /> returning an error if not
Gravedad CVSS v3.1: MEDIA
Última modificación:
11/06/2026

CVE-2026-46182

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace<br /> <br /> The hdr variable is allocated on the stack and only hdr.version and<br /> hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr<br /> contains reserved padding bytes (reserved[3] and reserved2[40]), these<br /> could leak the uninitialized bytes to userspace after copy_to_user().<br /> <br /> This patch fixes that by initializing the whole struct to 0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
11/06/2026

CVE-2026-46183

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock<br /> <br /> damon_sysfs_quot_goal-&gt;path can be read and written by users, via DAMON<br /> sysfs &amp;#39;path&amp;#39; file. It can also be indirectly read, for the parameters<br /> {on,off}line committing to DAMON. The reads for parameters committing are<br /> protected by damon_sysfs_lock to avoid the sysfs files being destroyed<br /> while any of the parameters are being read. But the user-driven direct<br /> reads and writes are not protected by any lock, while the write is<br /> deallocating the path-pointing buffer. As a result, the readers could<br /> read the already freed buffer (user-after-free). Note that the user-reads<br /> don&amp;#39;t race when the same open file is used by the writer, due to kernfs&amp;#39;s<br /> open file locking. Nonetheless, doing the reads and writes with separate<br /> open files would be common. Fix it by protecting both the user-direct<br /> reads and writes with damon_sysfs_lock.
Gravedad CVSS v3.1: ALTA
Última modificación:
11/06/2026

CVE-2026-46180

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task<br /> <br /> Watchdog task might end between send_sig() and kthread_stop() calls, what<br /> results in the use-after-free issue. Fix this by increasing watchdog task<br /> reference count before calling send_sig() and dropping it by switching to<br /> kthread_stop_put().
Gravedad CVSS v3.1: ALTA
Última modificación:
19/06/2026

CVE-2026-46176

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()<br /> <br /> mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When<br /> ib_create_srq() fails for s1, the error branch destroys s0 but falls<br /> through and unconditionally assigns the freed s0 and the ERR_PTR s1 to<br /> devr-&gt;s0 and devr-&gt;s1.<br /> <br /> This leads to several problems: the lock-free fast path checks<br /> "if (devr-&gt;s1) return 0;" and treats the ERR_PTR as already initialised;<br /> users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via<br /> to_msrq(devr-&gt;s0)-&gt;msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences<br /> the ERR_PTR and double-frees s0 on teardown.<br /> <br /> Fix by adding the same `goto unlock` in the s1 failure path.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/07/2026

CVE-2026-46181

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()<br /> <br /> Sashiko points out the radix_tree itself is RCU safe, but nothing ever<br /> frees the mlx4_srq struct with RCU, and it isn&amp;#39;t even accessed within the<br /> RCU critical section. It also will crash if an event is delivered before<br /> the srq object is finished initializing.<br /> <br /> Use the spinlock since it isn&amp;#39;t easy to make RCU work, use<br /> refcount_inc_not_zero() to protect against partially initialized objects,<br /> and order the refcount_set() to be after the srq is fully initialized.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/07/2026

CVE-2026-46173

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exit: prevent preemption of oopsing TASK_DEAD task<br /> <br /> When an already-exiting task oopses, make_task_dead() currently calls<br /> do_task_dead() with preemption enabled. That is forbidden:<br /> do_task_dead() calls __schedule(), which has a comment saying "WARNING:<br /> must be called with preemption disabled!".<br /> <br /> If an oopsing task is preempted in do_task_dead(), between becoming<br /> TASK_DEAD and entering the scheduler explicitly, bad things happen:<br /> finish_task_switch() assumes that once the scheduler has switched away<br /> from a TASK_DEAD task, the task can never run again and its stack is no<br /> longer needed; but that assumption apparently doesn&amp;#39;t hold if the dead<br /> task was preempted (the SM_PREEMPT case).<br /> <br /> This means that the scheduler ends up repeatedly dropping references on<br /> the dead task&amp;#39;s stack, which can lead to use-after-free or double-free<br /> of the entire task stack; in other words, two tasks can end up running<br /> on the same stack, resulting in various kinds of memory corruption.<br /> <br /> (This does not just affect "recursively oopsing" tasks; it is enough to<br /> oops once during task exit, for example in a file_operations::release<br /> handler)
Gravedad CVSS v3.1: ALTA
Última modificación:
10/06/2026

CVE-2026-46172

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()<br /> <br /> xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not<br /> already have a dst attached. ip6_route_input_lookup() returns a<br /> referenced dst entry even when the lookup resolves to an error route.<br /> <br /> If dst-&gt;error is set, xfrm6_rcv_encap() drops the skb without attaching<br /> the dst to the skb and without releasing the reference returned by the<br /> lookup. Repeated packets hitting this path therefore leak dst entries.<br /> <br /> Release the dst before jumping to the drop path.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/06/2026