CVE-2025-52890

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-52890

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52890.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-52890

Aliases

Downstream

UBUNTU-CVE-2025-52890

Published

2025-06-25T16:51:24Z

Modified

2025-10-22T18:47:32.746021Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H CVSS Calculator

Summary

Incus vulnerable to antispoofing nftables firewall rule bypass on bridge networks with ACLs

Details

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/lxc/incus

Affected ranges

Type: GIT
Repo: https://github.com/lxc/incus
Events: Introduced

11f8f9e6ae151984a7abd2d9f9b02a6f3c9af320

Fixed

254dfd2483ab8de39b47c2258b7f1cf0759231c8

Affected versions

v6.*

v6.12.0

v6.13.0