CVE-2025-52890
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/06/2025
Last modified:
26/06/2025
Description
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH