Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-45871

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: st33zp24: Fix missing cleanup on get_burstcount() error<br /> <br /> get_burstcount() can return -EBUSY on timeout. When this happens,<br /> st33zp24_send() returns directly without releasing the locality<br /> acquired earlier.<br /> <br /> Use goto out_err to ensure proper cleanup when get_burstcount() fails.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45872

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: smartpqi: Fix memory leak in pqi_report_phys_luns()<br /> <br /> pqi_report_phys_luns() fails to release the rpl_list buffer when<br /> encountering an unsupported data format or when the allocation for<br /> rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic,<br /> leading to memory leaks.<br /> <br /> Consolidate the error handling by adding an out_free_rpl_list label and use<br /> goto statements to ensure rpl_list is consistently freed on failure.<br /> <br /> Compile tested only. Issue found using a prototype static analysis tool and<br /> code review.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45873

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets<br /> <br /> Userspace provides an optimized representation in case intervals are<br /> adjacent, where the end element is omitted.<br /> <br /> The existing partial overlap detection logic skips anonymous set checks<br /> on start elements for this reason.<br /> <br /> However, it is possible to add intervals that overlap to this anonymous<br /> where two start elements with the same, eg. A-B, A-C where C
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45874

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> phy: freescale: imx8qm-hsio: fix NULL pointer dereference<br /> <br /> During the probe the refclk_pad pointer is set to NULL if the<br /> &amp;#39;fsl,refclk-pad-mode&amp;#39; property is not defined in the devicetree node. But<br /> in imx_hsio_configure_clk_pad() this pointer is unconditionally used which<br /> could result in a NULL pointer dereference. So check the pointer before to<br /> use it.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45863

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()<br /> <br /> The dw_i3c_master_i2c_xfers() function allocates memory for the xfer<br /> structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get()<br /> fails, the function returns without freeing the allocated xfer, resulting<br /> in a memory leak.<br /> <br /> Add a dw_i3c_master_free_xfer() call to the error path to ensure the<br /> allocated memory is properly freed.<br /> <br /> Compile tested only. Issue found using a prototype static analysis tool<br /> and code review.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45864

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: prevent infinite loops caused by the next valid being the same<br /> <br /> When processing valid within the range [valid : pos), if valid cannot<br /> be retrieved correctly, for example, if the retrieved valid value is<br /> always the same, this can trigger a potential infinite loop, similar<br /> to the hung problem reported by syzbot [1].<br /> <br /> Adding a check for the valid value within the loop body, and terminating<br /> the loop and returning -EINVAL if the value is the same as the current<br /> value, can prevent this.<br /> <br /> [1]<br /> INFO: task syz.4.21:6056 blocked for more than 143 seconds.<br /> Call Trace:<br /> rwbase_write_lock+0x14f/0x750 kernel/locking/rwbase_rt.c:244<br /> inode_lock include/linux/fs.h:1027 [inline]<br /> ntfs_file_write_iter+0xe6/0x870 fs/ntfs3/file.c:1284
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45865

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mctp i2c: initialise event handler read bytes<br /> <br /> Set a 0xff value for i2c reads of an mctp-i2c device. Otherwise reads<br /> will return "val" from the i2c bus driver. For i2c-aspeed and<br /> i2c-npcm7xx that is a stack uninitialised u8.<br /> <br /> Tested with "i2ctransfer -y 1 r10@0x34" where 0x34 is a mctp-i2c<br /> instance, now it returns all 0xff.
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45866

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: caif: fix use-after-free in caif_serial ldisc_close()<br /> <br /> There is a use-after-free bug in caif_serial where handle_tx() may<br /> access ser-&gt;tty after the tty has been freed.<br /> <br /> The race condition occurs between ldisc_close() and packet transmission:<br /> <br /> CPU 0 (close) CPU 1 (xmit)<br /> ------------- ------------<br /> ldisc_close()<br /> tty_kref_put(ser-&gt;tty)<br /> [tty may be freed here]<br /> <br /> caif_xmit()<br /> handle_tx()<br /> tty = ser-&gt;tty // dangling ptr<br /> tty-&gt;ops-&gt;write() // UAF!<br /> schedule_work()<br /> ser_release()<br /> unregister_netdevice()<br /> <br /> The root cause is that tty_kref_put() is called in ldisc_close() while<br /> the network device is still active and can receive packets.<br /> <br /> Since ser and tty have a 1:1 binding relationship with consistent<br /> lifecycles (ser is allocated in ldisc_open and freed in ser_release<br /> via unregister_netdevice, and each ser binds exactly one tty), we can<br /> safely defer the tty reference release to ser_release() where the<br /> network device is unregistered.<br /> <br /> Fix this by moving tty_kref_put() from ldisc_close() to ser_release(),<br /> after unregister_netdevice(). This ensures the tty reference is held<br /> as long as the network device exists, preventing the UAF.<br /> <br /> Note: We save ser-&gt;tty before unregister_netdevice() because ser is<br /> embedded in netdev&amp;#39;s private data and will be freed along with netdev<br /> (needs_free_netdev = true).<br /> <br /> How to reproduce: Add mdelay(500) at the beginning of ldisc_close()<br /> to widen the race window, then run the reproducer program [1].<br /> <br /> Note: There is a separate deadloop issue in handle_tx() when using<br /> PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper<br /> serial backend). This deadloop exists even without this patch,<br /> and is likely caused by inconsistency between uart_write_room() and<br /> uart_write() in serial core. It has been addressed in a separate<br /> patch [2].<br /> <br /> KASAN report:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620<br /> Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x10e/0x1f0<br /> print_report+0xd0/0x630<br /> kasan_report+0xe4/0x120<br /> handle_tx+0x5d1/0x620<br /> dev_hard_start_xmit+0x9d/0x6c0<br /> __dev_queue_xmit+0x6e2/0x4410<br /> packet_xmit+0x243/0x360<br /> packet_sendmsg+0x26cf/0x5500<br /> __sys_sendto+0x4a3/0x520<br /> __x64_sys_sendto+0xe0/0x1c0<br /> do_syscall_64+0xc9/0xf80<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f615df2c0d7<br /> <br /> Allocated by task 9930:<br /> <br /> Freed by task 64:<br /> <br /> Last potentially related work creation:<br /> <br /> The buggy address belongs to the object at ffff8881131e1000<br /> which belongs to the cache kmalloc-cg-2k of size 2048<br /> The buggy address is located 1168 bytes inside of<br /> freed 2048-byte region [ffff8881131e1000, ffff8881131e1800)<br /> <br /> The buggy address belongs to the physical page:<br /> page_owner tracks the page as allocated<br /> page last free pid 9778 tgid 9778 stack trace:<br /> <br /> Memory state around the buggy address:<br /> ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb<br /> [2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u
Gravedad: Pendiente de análisis
Última modificación:
27/05/2026

CVE-2026-45859

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation<br /> <br /> Ulrich reports a regression with nfqueue:<br /> <br /> If an application did not set the &amp;#39;F_GSO&amp;#39; capability flag and a gso<br /> packet with an unconfirmed nf_conn entry is received all packets are<br /> now dropped instead of queued, because the check happens after<br /> skb_gso_segment(). In that case, we did have exclusive ownership<br /> of the skb and its associated conntrack entry. The elevated use<br /> count is due to skb_clone happening via skb_gso_segment().<br /> <br /> Move the check so that its peformed vs. the aggregated packet.<br /> <br /> Then, annotate the individual segments except the first one so we<br /> can do a 2nd check at reinject time.<br /> <br /> For the normal case, where userspace does in-order reinjects, this avoids<br /> packet drops: first reinjected segment continues traversal and confirms<br /> entry, remaining segments observe the confirmed entry.<br /> <br /> While at it, simplify nf_ct_drop_unconfirmed(): We only care about<br /> unconfirmed entries with a refcnt &gt; 1, there is no need to special-case<br /> dying entries.<br /> <br /> This only happens with UDP. With TCP, the only unconfirmed packet will<br /> be the TCP SYN, those aren&amp;#39;t aggregated by GRO.<br /> <br /> Next patch adds a udpgro test case to cover this scenario.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026

CVE-2026-45860

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conncount: increase the connection clean up limit to 64<br /> <br /> After the optimization to only perform one GC per jiffy, a new problem<br /> was introduced. If more than 8 new connections are tracked per jiffy the<br /> list won&amp;#39;t be cleaned up fast enough possibly reaching the limit<br /> wrongly.<br /> <br /> In order to prevent this issue, only skip the GC if it was already<br /> triggered during the same jiffy and the increment is lower than the<br /> clean up limit. In addition, increase the clean up limit to 64<br /> connections to avoid triggering GC too often and do more effective GCs.<br /> <br /> This has been tested using a HTTP server and several<br /> performance tools while having nft_connlimit/xt_connlimit or OVS limit<br /> configured.<br /> <br /> Output of slowhttptest + OVS limit at 52000 connections:<br /> <br /> slow HTTP test status on 340th second:<br /> initializing: 0<br /> pending: 432<br /> connected: 51998<br /> error: 0<br /> closed: 0<br /> service available: YES
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026

CVE-2026-45861

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: Fix slab-use-after-free in qd_put<br /> <br /> Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously")<br /> started freeing quota data objects during filesystem shutdown instead of<br /> putting them back onto the LRU list, but it failed to remove these<br /> objects from the LRU list, causing LRU list corruption. This caused<br /> use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access<br /> already-freed objects on the LRU list.<br /> <br /> Fix this by removing qd objects from the LRU list before freeing them in<br /> qd_put().<br /> <br /> Initial fix from Deepanshu Kartikey .
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026

CVE-2026-45862

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Flush cache for PASID table before using it<br /> <br /> When writing the address of a freshly allocated zero-initialized PASID<br /> table to a PASID directory entry, do that after the CPU cache flush for<br /> this PASID table, not before it, to avoid the time window when this<br /> PASID table may be already used by non-coherent IOMMU hardware while<br /> its contents in RAM is still some random old data, not zero-initialized.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026