CVE-2025-15547 in FreeBSD
Summary
by MITRE • 03/09/2026
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/17/2026
This vulnerability represents a critical privilege escalation flaw in FreeBSD jail environments that directly undermines the fundamental security isolation provided by the jail mechanism. The issue stems from the interaction between the allow.mount.nullfs configuration option and the kernel's path lookup logic, creating an exploitable condition where a privileged user within a jail can escape the confined environment. The vulnerability specifically affects systems where jails are configured with the allow.mount.nullfs option enabled, which permits nullfs filesystem mounting operations from within the jail context. This configuration, while intended to provide flexibility for legitimate use cases, introduces a dangerous attack vector when combined with the kernel's path resolution behavior during mount operations.
The technical flaw exploits a weakness in the kernel's path lookup implementation where nullfs mounts can be used to traverse beyond the intended jail boundaries through a path resolution bypass. When a privileged user within a jail creates a nullfs mount pointing to a directory on the host system, the kernel's path resolution logic fails to properly enforce the chroot boundaries that should contain the jail environment. This occurs because the nullfs mount operation does not adequately validate that the mounted path remains within the confines of the jail's designated filesystem root. The vulnerability is particularly dangerous because it allows a user who has already gained some level of privilege within the jail to escalate their access to the complete host filesystem, effectively breaking down the isolation barrier that jails are designed to maintain.
The operational impact of this vulnerability is severe and potentially catastrophic for systems relying on FreeBSD jails for security isolation. An attacker who gains access to a privileged user account within a jail can immediately escalate their privileges to gain full host system access, potentially compromising the entire hosting environment. This vulnerability undermines the core security model of FreeBSD jails, which are commonly used for containerization, application isolation, and multi-tenant hosting environments. The attack vector is particularly concerning because it requires only a user with sufficient privileges within the jail to execute the nullfs mount operation, making it accessible to attackers who have already breached the initial jail security boundaries. The vulnerability affects systems where the allow.mount.nullfs option is enabled, which may be the default in certain configurations or enabled by administrators for legitimate operational requirements.
Mitigation strategies for this vulnerability should focus on disabling the allow.mount.nullfs option in jail configurations where it is not strictly necessary for operational requirements. System administrators should conduct thorough audits of their jail configurations to identify and disable this option in environments where it poses unnecessary risk. The recommended approach involves reviewing all jail configurations and removing or restricting the allow.mount.nullfs setting, particularly in production environments where strict isolation is required. Additionally, administrators should implement monitoring and logging of mount operations within jail environments to detect potential exploitation attempts. This vulnerability aligns with CWE-276, which addresses improper privileges, and maps to ATT&CK technique T1068, privilege escalation through kernel exploits, though this particular vulnerability is more accurately classified as a privilege escalation through improper access control. Organizations should also consider implementing mandatory access controls and additional security layers beyond the basic jail mechanism to provide defense in depth against such exploitation scenarios.