VYPR
← All advisories
High severity8.1OSV Advisory· Published Jun 25, 2025· Updated Apr 15, 2026

CVE-2025-52890

CVE-2025-52890

Description

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/lxc/incus/v6Go
>= 6.12.0, < 6.14.06.14.0

Affected products

1

Patches

1
254dfd2483ab

incusd/firewall/nftables: Fix rule ordering for ARP/NDP

https://github.com/lxc/incusOlivier Bal-PetreJun 2, 2025via ghsa
commit
1 file changed · +7 4
  • internal/server/firewall/drivers/drivers_nftables_templates.go+7 4 modified
    @@ -194,7 +194,6 @@ chain in{{.chainSeparator}}{{.deviceLabel}} {
 
 	# Basic connectivity
 	{{ if or .aclInDropRules .aclInRejectRules .aclInAcceptRules .aclOutDropRules .aclOutAcceptRules .aclInDefaultRule }}
-	ct state established,related accept
 
 	{{ if .dnsIPv4 }}
 	{{ range .dnsIPv4 }}
@@ -213,9 +212,6 @@ chain in{{.chainSeparator}}{{.deviceLabel}} {
 	iifname "{{.hostName}}" ether type ip ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport 67 accept
 	iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp dport 547 accept
 	iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::2 icmpv6 type 133 accept
-
-	iifname "{{.hostName}}" ether type arp accept
-	iifname "{{.hostName}}" ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } accept
 	{{ end }}
 
 	# MAC filtering
@@ -248,6 +244,13 @@ chain in{{.chainSeparator}}{{.deviceLabel}} {
 	iifname "{{.hostName}}" ether type ip6 drop
 	{{ end }}
 
+	{{ if or .aclInDropRules .aclInRejectRules .aclInAcceptRules .aclOutDropRules .aclOutAcceptRules .aclInDefaultRule }}
+	ct state established,related accept
+
+	iifname "{{.hostName}}" ether type arp accept
+	iifname "{{.hostName}}" ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } accept
+	{{ end }}
+
 	# ACLs
 	{{ range .aclInDropRules }}
 	{{.}}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.