CVE-2025-52890

NameCVE-2025-52890
DescriptionIncus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)sid, trixie6.0.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(not affected)

Notes

- incus <not-affected> (Vulnerable code not present)
https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp
Introduced with: https://github.com/lxc/incus/commit/d137a063c2fe2a6983c995ba75c03731bee1557d (v6.12.0)
Fixed by: https://github.com/lxc/incus/commit/254dfd2483ab8de39b47c2258b7f1cf0759231c8
Search for package or bug name: Reporting problems