Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-45998

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix potential UAF after skb_unshare() failure<br /> <br /> If skb_unshare() fails to unshare a packet due to allocation failure in<br /> rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())<br /> will be NULL&amp;#39;d out. This will likely cause the call to<br /> trace_rxrpc_rx_done() to oops.<br /> <br /> Fix this by moving the unsharing down to where rxrpc_input_call_event()<br /> calls rxrpc_input_call_packet(). There are a number of places prior to<br /> that where we ignore DATA packets for a variety of reasons (such as the<br /> call already being complete) for which an unshare is then avoided.<br /> <br /> And with that, rxrpc_input_packet() doesn&amp;#39;t need to take a pointer to the<br /> pointer to the packet, so change that to just a pointer.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-45992

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Gravedad: Pendiente de análisis
Última modificación:
15/06/2026

CVE-2026-45994

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ibmasm: fix OOB reads in command_file_write due to missing size checks<br /> <br /> The command_file_write() handler allocates a kernel buffer of exactly<br /> count bytes and copies user data into it, but does not validate the<br /> buffer against the dot command protocol before passing it to<br /> get_dot_command_size() and get_dot_command_timeout().<br /> <br /> Since both the allocation size (count) and the header fields (command_size,<br /> data_size) are independently user-controlled, an attacker can cause<br /> get_dot_command_size() to return a value exceeding the allocation,<br /> triggering OOB reads in get_dot_command_timeout() and an out-of-bounds<br /> memcpy_toio() that leaks kernel heap memory to the service processor.<br /> <br /> Fix with two guards: reject writes smaller than sizeof(struct<br /> dot_command_header) before allocation, then after copying user data<br /> reject commands where the buffer is smaller than the total size declared<br /> by the header (sizeof(header) + command_size + data_size). This ensures<br /> all subsequent header and payload field accesses stay within the buffer.
Gravedad CVSS v3.1: ALTA
Última modificación:
16/06/2026

CVE-2026-45990

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slub: fix data loss and overflow in krealloc()<br /> <br /> Commit 2cd8231796b5 ("mm/slub: allow to set node and align in<br /> k[v]realloc") introduced the ability to force a reallocation if the<br /> original object does not satisfy new alignment or NUMA node, even when<br /> the object is being shrunk.<br /> <br /> This introduced two bugs in the reallocation fallback path:<br /> <br /> 1. Data loss during NUMA migration: The jump to &amp;#39;alloc_new&amp;#39; happens<br /> before &amp;#39;ks&amp;#39; and &amp;#39;orig_size&amp;#39; are initialized. As a result, the<br /> memcpy() in the &amp;#39;alloc_new&amp;#39; block would copy 0 bytes into the new<br /> allocation.<br /> <br /> 2. Buffer overflow during shrinking: When shrinking an object while<br /> forcing a new alignment, &amp;#39;new_size&amp;#39; is smaller than the old size.<br /> However, the memcpy() used the old size (&amp;#39;orig_size ?: ks&amp;#39;), leading<br /> to an out-of-bounds write.<br /> <br /> The same overflow bug exists in the kvrealloc() fallback path, where the<br /> old bucket size ksize(p) is copied into the new buffer without being<br /> bounded by the new size.<br /> <br /> A simple reproducer:<br /> <br /> // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW<br /> while (1) {<br /> void *p = kmalloc(128, GFP_KERNEL);<br /> p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);<br /> kfree(p);<br /> }<br /> <br /> demonstrates the issue:<br /> <br /> ==================================================================<br /> BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130<br /> <br /> Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):<br /> memcpy_orig+0x68/0x130<br /> krealloc_node_align_noprof+0x1c8/0x340<br /> lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]<br /> lkdtm_do_action+0x3a/0x60 [lkdtm]<br /> ...<br /> <br /> kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64<br /> <br /> allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):<br /> krealloc_node_align_noprof+0x19c/0x340<br /> lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]<br /> lkdtm_do_action+0x3a/0x60 [lkdtm]<br /> ...<br /> ==================================================================<br /> <br /> Fix it by moving the old size calculation to the top of __do_krealloc()<br /> and bounding all copy lengths by the new allocation size.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/06/2026

CVE-2026-45989

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: unittest: fix use-after-free in testdrv_probe()<br /> <br /> The function testdrv_probe() retrieves the device_node from the PCI<br /> device, applies an overlay, and then immediately calls of_node_put(dn).<br /> This releases the reference held by the PCI core, potentially freeing<br /> the node if the reference count drops to zero. Later, the same freed<br /> pointer &amp;#39;dn&amp;#39; is passed to of_platform_default_populate(), leading to a<br /> use-after-free.<br /> <br /> The reference to pdev-&gt;dev.of_node is owned by the device model and<br /> should not be released by the driver. Remove the erroneous of_node_put()<br /> to prevent premature freeing.
Gravedad CVSS v3.1: ALTA
Última modificación:
16/06/2026

CVE-2026-45988

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix re-decryption of RESPONSE packets<br /> <br /> If a RESPONSE packet gets a temporary failure during processing, it may end<br /> up in a partially decrypted state - and then get requeued for a retry.<br /> <br /> Fix this by just discarding the packet; we will send another CHALLENGE<br /> packet and thereby elicit a further response. Similarly, discard an<br /> incoming CHALLENGE packet if we get an error whilst generating a RESPONSE;<br /> the server will send another CHALLENGE.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
16/06/2026

CVE-2026-45987

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2<br /> <br /> After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs<br /> fields written by the CPU from vmcb02 to the cached vmcb12. This is<br /> because the cached vmcb12 is used as the authoritative copy of some of<br /> the controls, and is the payload when saving/restoring nested state.<br /> <br /> int_state is also written by the CPU, specifically bit 0 (i.e.<br /> SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync&amp;#39;d to<br /> cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE<br /> preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow<br /> would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites<br /> what KVM_SET_NESTED_STATE restored in int_state).<br /> <br /> However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an<br /> interrupt shadow would be restored into vmcb01 instead of vmcb02. This<br /> would mostly be benign for L1 (delays an interrupt), but not for L2. For<br /> L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before<br /> a HLT that should have been in an interrupt shadow).<br /> <br /> Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()<br /> to avoid this problem. With that, KVM_SET_NESTED_STATE restores the<br /> correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it<br /> would overwrite it with the same value.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/06/2026

CVE-2026-45991

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udf: fix partition descriptor append bookkeeping<br /> <br /> Mounting a crafted UDF image with repeated partition descriptors can<br /> trigger a heap out-of-bounds write in part_descs_loc[].<br /> <br /> handle_partition_descriptor() deduplicates entries by partition number,<br /> but appended slots never record partnum. As a result duplicate<br /> Partition Descriptors are appended repeatedly and num_part_descs keeps<br /> growing.<br /> <br /> Once the table is full, the growth path still sizes the allocation from<br /> partnum even though inserts are indexed by num_part_descs. If partnum is<br /> already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep<br /> the old capacity and the next append writes past the end of the table.<br /> <br /> Store partnum in the appended slot and size growth from the next append<br /> count so deduplication and capacity tracking follow the same model.
Gravedad CVSS v3.1: ALTA
Última modificación:
19/06/2026

CVE-2026-45993

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: Add spectre boundry for syscall dispatch table<br /> <br /> The LoongArch syscall number is directly controlled by userspace, but<br /> does not have a array_index_nospec() boundry to prevent access past the<br /> syscall function pointer tables.
Gravedad CVSS v3.1: MEDIA
Última modificación:
19/06/2026

CVE-2026-45983

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: never defer requests during idmap lookup<br /> <br /> During v4 request compound arg decoding, some ops (e.g. SETATTR)<br /> can trigger idmap lookup upcalls. When those upcall responses get<br /> delayed beyond the allowed time limit, cache_check() will mark the<br /> request for deferral and cause it to be dropped.<br /> <br /> This prevents nfs4svc_encode_compoundres from being executed, and<br /> thus the session slot flag NFSD4_SLOT_INUSE never gets cleared.<br /> Subsequent client requests will fail with NFSERR_JUKEBOX, given<br /> that the slot will be marked as in-use, making the SEQUENCE op<br /> fail.<br /> <br /> Fix this by making sure that the RQ_USEDEFERRAL flag is always<br /> clear during nfs4svc_decode_compoundargs(), since no v4 request<br /> should ever be deferred.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/06/2026

CVE-2026-45982

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()<br /> <br /> Cover a missed execution path with a new check.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/06/2026

CVE-2026-45981

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/cio: Fix device lifecycle handling in css_alloc_subchannel()<br /> <br /> `css_alloc_subchannel()` calls `device_initialize()` before setting up<br /> the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,<br /> the error path frees the subchannel structure directly, bypassing<br /> the device model reference counting.<br /> <br /> Once `device_initialize()` has been called, the embedded struct device<br /> must be released via `put_device()`, allowing the release callback to<br /> free the container structure.<br /> <br /> Fix the error path by dropping the initial device reference with<br /> `put_device()` instead of calling `kfree()` directly.<br /> <br /> This ensures correct device lifetime handling and avoids potential<br /> use-after-free or double-free issues.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/06/2026