CVE-2025-52889

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-52889
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52889.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52889
Aliases
Downstream
Related
Published
2025-06-25T17:15:39Z
Modified
2025-07-29T11:24:53.889521Z
Summary
[none]
Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type
GIT
Repo
https://github.com/lxc/incus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2516fb19ad8428454cb4edfe70c0a5f0dc1da214
Fixed
a7c33301738aede3c035063e973b1d885d9bac7c

Affected versions

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0

v6.*

v6.0.0
v6.1.0
v6.10.0
v6.10.1
v6.11.0
v6.12.0
v6.13.0
v6.2.0
v6.3.0
v6.4.0
v6.5.0
v6.6.0
v6.7.0
v6.8.0
v6.9.0