1. Home
  2. CVE Database
  3. CVE-2025-52889
LOW · 3.4

CVE-2025-52889

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) tha...

Vulnerability Description

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

CVSS Score

3.4

LOW

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW

Related Weaknesses (CWE)

CWE-770

References

FAQ

What is CVE-2025-52889?

CVE-2025-52889 is a vulnerability with a CVSS score of 3.4 (LOW). Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) tha...

How severe is CVE-2025-52889?

CVE-2025-52889 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-52889?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.