Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-46095

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/md-llbitmap: raise barrier before state machine transition<br /> <br /> Move the barrier raise operation before calling llbitmap_state_machine()<br /> in both llbitmap_start_write() and llbitmap_start_discard(). This<br /> ensures the barrier is in place before any state transitions occur,<br /> preventing potential race conditions where the state machine could<br /> complete before the barrier is properly raised.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46096

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()<br /> <br /> tpm2_read_public() calls tpm_buf_init() but fails to call<br /> tpm_buf_destroy() on two exit paths, leaking a page allocation:<br /> <br /> 1. When name_size() returns an error (unrecognized hash algorithm),<br /> the function returns directly without destroying the buffer.<br /> <br /> 2. On the success path, the buffer is never destroyed before<br /> returning.<br /> <br /> All other error paths in the function correctly call<br /> tpm_buf_destroy() before returning.<br /> <br /> Fix both by adding the missing tpm_buf_destroy() calls.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46097

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: edt-ft5x06 - fix use-after-free in debugfs teardown<br /> <br /> The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs<br /> directory") removed the manual debugfs teardown, relying on the I2C core<br /> to handle it. However, this creates a window where debugfs files are<br /> still accessible after edt_ft5x06_ts_teardown_debugfs() frees<br /> tsdata-&gt;raw_buffer.<br /> <br /> To prevent a use-after-free, protect the freeing of raw_buffer with the<br /> device mutex and set raw_buffer to NULL. The debugfs read function<br /> already checks if raw_buffer is NULL under the same mutex, so this<br /> safely avoids the use-after-free.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46100

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: afs: revert mmap_prepare() change<br /> <br /> Partially reverts commit 9d5403b1036c ("fs: convert most other<br /> generic_file_*mmap() users to .mmap_prepare()").<br /> <br /> This is because the .mmap invocation establishes a refcount, but<br /> .mmap_prepare is called at a point where a merge or an allocation failure<br /> might happen after the call, which would leak the refcount increment.<br /> <br /> Functionality is being added to permit the use of .mmap_prepare in this<br /> case, but in the interim, we need to fix this.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026

CVE-2026-46098

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: caif: clear client service pointer on teardown<br /> <br /> `caif_connect()` can tear down an existing client after remote shutdown by<br /> calling `caif_disconnect_client()` followed by `caif_free_client()`.<br /> `caif_free_client()` releases the service layer referenced by<br /> `adap_layer-&gt;dn`, but leaves that pointer stale.<br /> <br /> When the socket is later destroyed, `caif_sock_destructor()` calls<br /> `caif_free_client()` again and dereferences the freed service pointer.<br /> <br /> Clear the client/service links before releasing the service object so<br /> repeated teardown becomes harmless.
Gravedad: Pendiente de análisis
Última modificación:
01/06/2026

CVE-2026-46099

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels<br /> <br /> seg6_input_core() and rpl_input() call ip6_route_input() which sets a<br /> NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking<br /> dst_hold() unconditionally.<br /> On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can<br /> release the underlying pcpu_rt between the lookup and the caching<br /> through a concurrent FIB lookup on a shared nexthop.<br /> Simplified race sequence:<br /> <br /> ksoftirqd/X higher-prio task (same CPU X)<br /> ----------- --------------------------------<br /> seg6_input_core(,skb)/rpl_input(skb)<br /> dst_cache_get()<br /> -&gt; miss<br /> ip6_route_input(skb)<br /> -&gt; ip6_pol_route(,skb,flags)<br /> [RT6_LOOKUP_F_DST_NOREF in flags]<br /> -&gt; FIB lookup resolves fib6_nh<br /> [nhid=N route]<br /> -&gt; rt6_make_pcpu_route()<br /> [creates pcpu_rt, refcount=1]<br /> pcpu_rt-&gt;sernum = fib6_sernum<br /> [fib6_sernum=W]<br /> -&gt; cmpxchg(fib6_nh.rt6i_pcpu,<br /> NULL, pcpu_rt)<br /> [slot was empty, store succeeds]<br /> -&gt; skb_dst_set_noref(skb, dst)<br /> [dst is pcpu_rt, refcount still 1]<br /> <br /> rt_genid_bump_ipv6()<br /> -&gt; bumps fib6_sernum<br /> [fib6_sernum from W to Z]<br /> ip6_route_output()<br /> -&gt; ip6_pol_route()<br /> -&gt; FIB lookup resolves fib6_nh<br /> [nhid=N]<br /> -&gt; rt6_get_pcpu_route()<br /> pcpu_rt-&gt;sernum != fib6_sernum<br /> [W Z, stale]<br /> -&gt; prev = xchg(rt6i_pcpu, NULL)<br /> -&gt; dst_release(prev)<br /> [prev is pcpu_rt,<br /> refcount 1-&gt;0, dead]<br /> <br /> dst = skb_dst(skb)<br /> [dst is the dead pcpu_rt]<br /> dst_cache_set_ip6(dst)<br /> -&gt; dst_hold() on dead dst<br /> -&gt; WARN / use-after-free<br /> <br /> For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without<br /> PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release<br /> the pcpu_rt. Shared nexthop objects provide such a path, as two routes<br /> pointing to the same nhid share the same fib6_nh and its rt6i_pcpu<br /> entry.<br /> <br /> Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after<br /> ip6_route_input() to force the NOREF dst into a refcounted one before<br /> caching.<br /> The output path is not affected as ip6_route_output() already returns a<br /> refcounted dst.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-46087

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start()<br /> <br /> Destroy the DAMON context and reset the global pointer when damon_start()<br /> fails. Otherwise, the context allocated by damon_stat_build_ctx() is<br /> leaked, and the stale damon_stat_context pointer will be overwritten on<br /> the next enable attempt, making the old allocation permanently<br /> unreachable.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46089

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> zram: do not forget to endio for partial discard requests<br /> <br /> As reported by Qu Wenruo and Avinesh Kumar, the following<br /> <br /> getconf PAGESIZE<br /> 65536<br /> blkdiscard -p 4k /dev/zram0<br /> <br /> takes literally forever to complete. zram doesn&amp;#39;t support partial<br /> discards and just returns immediately w/o doing any discard work in such<br /> cases. The problem is that we forget to endio on our way out, so<br /> blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to<br /> end_bio label, which does bio_endio().
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46091

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rc: igorplugusb: heed coherency rules<br /> <br /> In a control request, the USB request structure<br /> can be subject to DMA on some HCs. Hence it must obey<br /> the rules for DMA coherency. Allocate it separately.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46092

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: check for PCI upstream bridge existence<br /> <br /> pci_upstream_bridge() returns NULL if the device is on a root bus. If<br /> 8821CE is installed in the system with such a PCI topology, the probing<br /> routine will crash. This has probably been unnoticed as 8821CE is mostly<br /> supplied in laptops where there is a PCI-to-PCI bridge located upstream<br /> from the device. However the card might be installed on a system with<br /> different configuration.<br /> <br /> Check if the bridge does exist for the specific workaround to be applied.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Svace static<br /> analysis tool.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46094

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access<br /> <br /> The bounds check for the next xattr entry in check_xattrs() uses<br /> (void *)next &gt;= end, which allows next to point within sizeof(u32)<br /> bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4<br /> bytes via *(__u32 *)(entry), which can overrun the valid xattr region.<br /> <br /> For example, if next lands at end - 1, the check passes since<br /> next end,<br /> ensuring there is always enough space for the IS_LAST_ENTRY() read<br /> on the subsequent iteration.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-46093

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/vmalloc: take vmap_purge_lock in shrinker<br /> <br /> decay_va_pool_node() can be invoked concurrently from two paths:<br /> __purge_vmap_area_lazy() when pools are being purged, and the shrinker via<br /> vmap_node_shrink_scan().<br /> <br /> However, decay_va_pool_node() is not safe to run concurrently, and the<br /> shrinker path currently lacks serialization, leading to races and possible<br /> leaks.<br /> <br /> Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker<br /> path to ensure serialization with purge users.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026