CVE-2025-52889
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-25

Last updated on: 2025-06-26

Assigner: GitHub, Inc.

Description
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2025-06-26
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52889
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-52889 is a vulnerability in Incus versions 6.12 and 6.13 where nftables firewall rules generated for devices connected to a bridge with ACLs are incorrectly ordered. This misordering causes rules allowing DHCP, DNS, and certain IPv6 packets to bypass MAC and IP filtering security options. As a result, attackers can exploit this to send numerous DHCP requests with spoofed MAC addresses, exhausting the DHCP address pool and causing denial-of-service (DoS) on the network bridge. The vulnerability arises because these permissive rules are applied before antispoofing rules, rendering them ineffective. [1, 3]


How can this vulnerability impact me? :

This vulnerability can lead to denial-of-service (DoS) on your network bridge by allowing an attacker to exhaust the DHCP address pool through spoofed MAC addresses. Legitimate devices may be unable to obtain IP addresses, disrupting network connectivity. Additionally, the bypass of MAC and IP filtering for DNS traffic could potentially allow abuse of DNS requests, although the impact of this is less clear. Overall, it compromises network availability and reliability. [1, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual DHCP traffic patterns, such as rapid DHCP requests with changing MAC addresses that could indicate DHCP pool exhaustion attacks. Additionally, inspecting the nftables rules on the affected system to verify the ordering of firewall rules related to DHCP, DNS, and MAC filtering can help identify the issue. Commands to check nftables rules include: `sudo nft list ruleset` to view the current nftables configuration and verify if DHCP and DNS rules are placed before MAC filtering rules. Network traffic capture tools like `tcpdump` can be used to monitor DHCP requests, e.g., `sudo tcpdump -i <interface> port 67 or port 68` to observe DHCP traffic and detect abnormal request rates or spoofed MAC addresses. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the patch provided in commit 2516fb19ad8428454cb4edfe70c0a0a5f0dc1da214 which corrects the ordering of nftables firewall rules to ensure proper MAC, IPv4, and IPv6 filtering and prevent DHCP pool exhaustion. Until the patch is applied, monitoring and limiting DHCP requests, enforcing stricter network access controls, and possibly disabling ACLs on bridged devices if feasible can reduce risk. Reviewing and adjusting nftables rules manually to ensure MAC filtering rules are evaluated before DHCP and DNS accept rules may also help mitigate the issue temporarily. [1, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart