CVE-2025-52890

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-52890
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52890.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52890
Aliases
Downstream
Related
Published
2025-06-25T17:15:39Z
Modified
2025-07-29T11:24:54.443301Z
Summary
[none]
Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type
GIT
Repo
https://github.com/lxc/incus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
254dfd2483ab8de39b47c2258b7f1cf0759231c8

Affected versions

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0

v6.*

v6.0.0
v6.1.0
v6.10.0
v6.10.1
v6.11.0
v6.12.0
v6.13.0
v6.2.0
v6.3.0
v6.4.0
v6.5.0
v6.6.0
v6.7.0
v6.8.0
v6.9.0