CVE - CVE-2025-52889

CVE-ID
CVE-2025-52889	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/lxc/incus/commit/2516fb19ad8428454cb4edfe70c0a5f0dc1da214 URL:https://github.com/lxc/incus/commit/2516fb19ad8428454cb4edfe70c0a5f0dc1da214 MISC:https://github.com/lxc/incus/commit/a7c33301738aede3c035063e973b1d885d9bac7c URL:https://github.com/lxc/incus/commit/a7c33301738aede3c035063e973b1d885d9bac7c MISC:https://github.com/lxc/incus/security/advisories/GHSA-9q7c-qmhm-jv86 URL:https://github.com/lxc/incus/security/advisories/GHSA-9q7c-qmhm-jv86
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20250620	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20250620)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)