CVE-2025-52890

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-52890

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52890.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-52890

Aliases

GHSA-p7fw-vjjm-2rwp

Related

Published

2025-06-25T17:15:39Z

Modified

2025-06-27T11:02:59.230300Z

Summary

[none]

Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type: GIT
Repo: https://github.com/lxc/incus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

254dfd2483ab8de39b47c2258b7f1cf0759231c8

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v6.*

v6.0.0

v6.1.0

v6.10.0

v6.10.1

v6.11.0

v6.12.0

v6.13.0

v6.2.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.7.0

v6.8.0

v6.9.0