CVE-2025-52890

CVSS v3.1

8.1

High

Vector

AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Incus versions 6.12 and 6.13

Description: Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, it generates nftables rules that partially bypass security options security.mac filtering, security.ipv4 filtering, and security.ipv6 filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge.

Recommendations: For Incus versions 6.12 and 6.13, apply the patch from commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 to resolve the issue.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BDU:2025-08092

CVE-2025-52890

GHSA-P7FW-VJJM-2RWP

GO-2025-3782

OPENSUSE-SU-2025:15317-1

OPENSUSE-SU-2025:15405-1

Affected Products

Incus

CVE-2025-52890

Weakness Enumeration

Related Identifiers

Affected Products

References · 76