CVE-2025-52889

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-52889

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52889.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-52889

Aliases

GHSA-9q7c-qmhm-jv86

Related

Published

2025-06-25T17:15:39Z

Modified

2025-06-27T11:03:00.525807Z

Summary

[none]

Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type: GIT
Repo: https://github.com/lxc/incus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2516fb19ad8428454cb4edfe70c0a5f0dc1da214

Fixed

a7c33301738aede3c035063e973b1d885d9bac7c

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v6.*

v6.0.0

v6.1.0

v6.10.0

v6.10.1

v6.11.0

v6.12.0

v6.13.0

v6.2.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.7.0

v6.8.0

v6.9.0