Skip to main content

Ubuntu CVE-2025-52889

| EUVDEUVD-2025-19115 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-06-25 security-advisories@github.com GHSA-9q7c-qmhm-jv86
3.4
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.4 LOW
AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19115
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 17:15 nvd
LOW 3.4

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

Analysis

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options security.mac_filtering, security.ipv4_filtering and security.ipv6_filtering. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214.

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

RemediationAI

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Vendor StatusVendor

Ubuntu

Priority: Medium
incus
Release Status Version
jammy DNE -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

incus
Release Status Fixed Version Urgency
trixie (security), trixie fixed 6.0.4-2+deb13u4 -
forky fixed 6.0.5-8 -
sid fixed 6.0.6-1 -
(unstable) not-affected - -

Share

CVE-2025-52889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy