CVE-2025-52890
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-52890
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52890.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-52890
- Aliases
- Downstream
- Published
- 2025-06-25T16:51:24.279Z
- Modified
- 2025-12-05T10:19:04.759683Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H CVSS Calculator
- Summary
- Incus vulnerable to antispoofing nftables firewall rule bypass on bridge networks with ACLs
- Details
-
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options
security.mac_filtering,security.ipv4_filteringandsecurity.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52890.json" }- References