CVE-2025-15547

CVE-2025-15547: Jail escape by a privileged user via nullfs

Vendor Freebsd
Product FreeBSD
Weakness CWE-269
Published March 9, 2026
Last update March 10, 2026

CVSS base score

What the vulnerability does

01Description

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

Key dates

02Disclosure timeline

March 9, 2026 CVE published
March 10, 2026 Record updated