What is CVE-2025-52889?

CVE-2025-52889 is a low-severity vulnerability in Lxc Incus, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 3.4/10. Published 2025-06-25.

How severe is CVE-2025-52889?

Low severity. CVSS v3 base score is 3.4 out of 10.

Resource exhaustion in Lxc Incus

CVE-2025-52889

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `se…

EPSS: 0.001 (29.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.4 (Low). Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L.

Affected products

Lxc Incus — versions >= 6.12, <= 6.13

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/lxc/incus/security/advisories/GHSA-9q7c-qmhm-jv86 (x_refsource_CONFIRM)
https://github.com/lxc/incus/commit/2516fb19ad8428454cb4edfe70c0a5f0dc1da214 (x_refsource_MISC)
https://github.com/lxc/incus/commit/a7c33301738aede3c035063e973b1d885d9bac7c (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-52889?: CVE-2025-52889 is a low-severity vulnerability in Lxc Incus, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 3.4/10. Published 2025-06-25.
How severe is CVE-2025-52889?: Low severity. CVSS v3 base score is 3.4 out of 10.