CVE-2025-52889

CVSS v3.1

3.4

Low

Vector

AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions: Incus versions 6.12 through 6.13

Description: Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, it generates nftables rules for local services, such as DHCP and DNS, that partially bypass security options security.mac filtering, security.ipv4 filtering, and security.ipv6 filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks.

Recommendations: For versions 6.12 and 6.13, apply the patch available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214 to resolve the issue. As a temporary workaround, consider restricting the use of ACLs on devices connected to a bridge until the patch is applied.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BDU:2025-08084

CVE-2025-52889

GHSA-9Q7C-QMHM-JV86

GO-2025-3781

OPENSUSE-SU-2025:15317-1

OPENSUSE-SU-2025:15405-1

Affected Products

Incus

CVE-2025-52889

Weakness Enumeration

Related Identifiers

Affected Products

References · 76