{"id":"CVE-2025-52890","summary":"Incus vulnerable to antispoofing nftables firewall rule bypass on bridge networks with ACLs","details":"Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.","aliases":["GHSA-p7fw-vjjm-2rwp","GO-2025-3782"],"modified":"2026-04-02T12:57:34.804736Z","published":"2025-06-25T16:51:24.279Z","related":["openSUSE-SU-2025:15317-1","openSUSE-SU-2025:15405-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52890.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-863"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52890.json"},{"type":"ADVISORY","url":"https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52890"},{"type":"FIX","url":"https://github.com/lxc/incus/commit/254dfd2483ab8de39b47c2258b7f1cf0759231c8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxc/incus","events":[{"introduced":"11f8f9e6ae151984a7abd2d9f9b02a6f3c9af320"},{"fixed":"254dfd2483ab8de39b47c2258b7f1cf0759231c8"}]}],"versions":["v6.12.0","v6.13.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52890.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H"}]}