High severity8.1OSV Advisory· Published Jun 25, 2025· Updated Jun 17, 2026
CVE-2025-52890
CVE-2025-52890
Description
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lxc/incus/v6Go | >= 6.12.0, < 6.14.0 | 6.14.0 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/lxc/incus/v6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/incus&distro=openSUSE%20Tumbleweed
>= 6.12.0, < 6.14.0+ 2 more
- (no CPE)range: >= 6.12.0, < 6.14.0
- (no CPE)range: < 0.0.20250730T213748-1.1
- (no CPE)range: < 6.14-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.