CVE-2025-52889: 
Linux Fedora vulnerability analysis and mitigation

Incus, a system container and virtual machine manager, contains a vulnerability (CVE-2025-52889) in versions 6.12 and 6.13 where nftables rules for local services (DHCP, DNS) partially bypass security options security.macfiltering, security.ipv4filtering, and security.ipv6_filtering. The vulnerability was discovered in June 2025 and affects bridge-connected devices with ACLs (GitHub Advisory).

The vulnerability stems from the incorrect ordering of nftables rules introduced in commit a7c3330. The rules for local services (DHCP, DNS) were placed before MAC and IP filtering rules, effectively bypassing these security controls. The issue specifically affects bridge input chain rules that accept packets that should be filtered by later MAC filtering rules. The vulnerability has been assigned a CVSS v3.1 score of 3.4 (Low) with vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L (GitHub Advisory).

The vulnerability allows attackers to bypass MAC filtering and request multiple IP addresses through DHCP requests with different MAC addresses, potentially leading to DHCP pool exhaustion and denial of service on the bridge's network. Additionally, attackers can send DNS requests with arbitrary MAC and IP addresses, as the rules allow non-restricted access to the local dnsmasq DNS server (GitHub Advisory).

A patch has been released in version 6.14 that corrects the ordering of the nftables rules. The fix is available in commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214, which ensures proper filtering of packets by placing the security rules in the correct order (GitHub Advisory).