CVE-2025-15547

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:freebsd:freebsd:13.5:-::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p1::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p2::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p3::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p4::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p5::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p6::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p7::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p8::::::
	cpe:2.3:o:freebsd:freebsd:14.3:-::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p1::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p2::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p3::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p4::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p5::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p6::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p7::::::

History

No history.

Information

Published : 2026-03-09 12:16

Updated : 2026-03-17 15:55

NVD link : CVE-2025-15547

Mitre link : CVE-2025-15547

CVE.ORG link : CVE-2025-15547

JSON object : View

Products Affected

freebsd

freebsd

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2025-15547", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2026-03-09T12:16:11.403", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc", "tags": ["Vendor Advisory"], "source": "secteam@freebsd.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "secteam@freebsd.org", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\n\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.\n\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root."}, {"lang": "es", "value": "Por defecto, los procesos enjaulados no pueden montar sistemas de archivos, incluyendo nullfs(4). Sin embargo, la opci\u00f3n allow.mount.nullfs permite montar sistemas de archivos nullfs, sujeto a comprobaciones de privilegios.\n\nSi un usuario privilegiado dentro de una jaula es capaz de montar directorios con nullfs, una limitaci\u00f3n de la l\u00f3gica de b\u00fasqueda de rutas del kernel permite a ese usuario escapar del chroot de la jaula, lo que otorga acceso al sistema de archivos completo del anfitri\u00f3n o de la jaula padre.\n\nEn una jaula configurada para permitir montajes de nullfs(4) desde dentro de la jaula, el usuario root enjaulado puede escapar de la ra\u00edz del sistema de archivos de la jaula."}], "lastModified": "2026-03-17T15:55:08.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "947F561E-AD65-43B9-94C1-3109A3D35248"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D1987F1-1E08-4B28-8D16-D25A091D99ED"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEC1E8A0-0402-45F1-938D-FEFDCFC3E747"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D94457D6-738F-4ABB-BD46-F2B621531FE2"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C38CB56-B80C-4D1B-9267-16E8F985B170"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13DF1E38-5E8D-42FF-A4C5-092300864F3E"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83A86F81-0965-4600-835A-496756137998"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "987E31A4-7E21-471E-A3EA-4E53FFDB3DFB"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9FBFE8B3-DC7C-4394-B062-C40E201EC059"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB"}], "operator": "OR"}]}], "sourceIdentifier": "secteam@freebsd.org"}