CVE-2025-52889

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-52889

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52889.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-52889

Aliases

Downstream

UBUNTU-CVE-2025-52889

Published

2025-06-25T16:49:00Z

Modified

2025-11-02T19:57:06.885011Z

Severity

3.4 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVSS Calculator

Summary

Incus vulnerable to DoS through antispoofing nftables firewall rule bypass on bridge networks with ACLs

Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type: GIT
Repo: https://github.com/lxc/incus
Events: Introduced

11f8f9e6ae151984a7abd2d9f9b02a6f3c9af320

Fixed

a7c33301738aede3c035063e973b1d885d9bac7c

Affected versions

v6.*

v6.12.0