CVE-2025-52889 is a vulnerability identified in the Incus container and virtual machine manager, specifically affecting versions 6.12 and 6.13. Incus is part of the LXC project, widely used for managing system containers and virtual machines. The vulnerability arises when an Access Control List (ACL) is applied to a device connected to a network bridge. Under these conditions, Incus generates nftables firewall rules intended to protect local services such as DHCP and DNS. However, these rules partially bypass critical security options including security.mac_filtering, security.ipv4_filtering, and security.ipv6_filtering. This bypass leads to an unintended exposure of local network services, particularly DHCP, which can be exploited to exhaust the DHCP address pool. DHCP pool exhaustion can cause denial of service by preventing legitimate clients from obtaining IP addresses, disrupting network connectivity within the containerized environment. Furthermore, the weakened filtering may open avenues for additional attacks leveraging the compromised local services. The vulnerability is categorized under CWE-770, which concerns allocation of resources without proper limits or throttling, indicating that resource exhaustion is a core issue. The CVSS v3.1 base score is 3.4 (low severity), with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and scope changed (S:C). The impact is limited to availability (A:L) with no confidentiality or integrity loss. No known exploits are reported in the wild, and a patch is available in the LXC project repository (commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214).

For European organizations utilizing Incus versions 6.12 or 6.13, especially in environments where containers are networked via bridges with ACLs, this vulnerability poses a risk of service disruption. The exhaustion of DHCP pools can lead to denial of service within containerized infrastructures, impacting availability of network services critical for operations. This is particularly relevant for data centers, cloud service providers, and enterprises relying on container orchestration for internal applications. While the confidentiality and integrity of data are not directly affected, the availability impact can cascade, causing operational delays and potential downtime. Additionally, the partial bypass of security filtering may increase the attack surface, potentially enabling lateral movement or further exploitation if combined with other vulnerabilities. Organizations with strict network segmentation and those deploying Incus in multi-tenant or shared environments are at higher risk due to the potential for resource exhaustion attacks originating from adjacent network segments.

1. Immediate upgrade to Incus versions beyond 6.13 where the patch addressing this vulnerability is applied, referencing commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214. 2. Review and tighten ACL configurations on devices connected to network bridges to minimize exposure. 3. Implement DHCP rate limiting and monitoring to detect abnormal lease request patterns indicative of exhaustion attempts. 4. Enhance nftables firewall rules manually to enforce strict filtering on local services, ensuring that security.mac_filtering, security.ipv4_filtering, and security.ipv6_filtering are effectively applied. 5. Deploy network segmentation to isolate container management networks from user or less trusted networks, reducing the attack surface. 6. Monitor logs and network traffic for signs of DHCP pool exhaustion or unusual nftables rule modifications. 7. Conduct regular security audits of container orchestration environments to verify that resource allocation limits and throttling mechanisms are in place and effective.