How to fix CVE-2025-52889?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Is Ubuntu affected by CVE-2025-52889?

CVE-2025-52889 is a low-severity vulnerability in Incus (CVSS 3.4). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

CVE-2025-52889

EUVD-2025-19115 LOW

2025-06-25 [email protected]

GHSA-9q7c-qmhm-jv86

3.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19115

CVE Published

Jun 25, 2025 - 17:15 nvd

LOW 3.4

Description

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

Analysis

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

Remediation

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +17

POC: 0

Vendor Status

Ubuntu

Priority: Medium

incus

Release	Status	Version
jammy	DNE	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

Debian

incus

Release	Status	Fixed Version	Urgency
trixie (security), trixie	fixed	6.0.4-2+deb13u4	-
forky	fixed	6.0.5-8	-
sid	fixed	6.0.6-1	-
(unstable)	not-affected	-	-

CVE-2025-52889 vulnerability details – vuln.today

Back

CVE-2025-52889

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-52889

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code