CVE-2025-52890HIGH 8.1EPSS p9.3%

CVE-2025-52890CVE-2025-52890

Description

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
EPSS0.19% probability of exploitation · percentile 9.3% · 2026-06-19T12:03:05Z
Published2025-06-25
Last modified2026-04-15

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/lxc/incus/commit/254dfd2483ab8de39b47c2258b7f1cf0759231c8
  2. https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp
  3. https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23954
CVE
CVE-2026-23953
CVE
CVE-2026-33897
CVE
CVE-2026-33945
CVE
CVE-2026-33898
CVE
CVE-2025-0650
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.