CVE-2025-15547
Received Received - Intake
Privilege Escalation via Nullfs Mount Escape in FreeBSD Jails

Publication date: 2026-03-09

Last updated on: 2026-03-17

Assigner: FreeBSD

Description
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15547
EUVD
EUVD-2025-208407
Affected Vendors & Products
Showing 17 associated CPEs
Vendor Product Version / Range
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-15547 is a security vulnerability in FreeBSD's jail subsystem, which provides OS-level virtualization by restricting processes within confined environments."}, {'type': 'paragraph', 'content': 'Normally, jailed processes cannot mount filesystems, including the nullfs(4) pseudo-filesystem that allows mounting a directory at another point in the filesystem.'}, {'type': 'paragraph', 'content': 'However, if the allow.mount.nullfs option is enabled inside a jail, a privileged user can mount nullfs filesystems.'}, {'type': 'paragraph', 'content': "Due to a limitation in the kernel's path lookup logic, a privileged user inside such a jail can exploit this to escape the jail's filesystem root (chroot), gaining access to the full filesystem of the host or parent jail."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows a privileged user inside a FreeBSD jail with allow.mount.nullfs enabled to escape the jail's confinement."}, {'type': 'paragraph', 'content': 'Such an escape breaks the isolation intended by the jail, potentially exposing the entire host or parent jail filesystem to the attacker.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized access to sensitive files and data outside the jail, compromising system security and integrity.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves privileged users inside FreeBSD jails being able to mount nullfs filesystems if the allow.mount.nullfs option is enabled. Detection involves checking if any jails have the allow.mount.nullfs option enabled.

You can inspect jail configurations to see if allow.mount.nullfs is enabled. For example, use commands to list jail parameters or check jail configuration files.

  • Check jail parameters with: jail -v or jls -v to list running jails and their parameters.
  • Examine jail configuration files (e.g., /etc/jail.conf) for the allow.mount.nullfs option.
  • Within a jail, verify if nullfs mounts are possible by attempting to mount a nullfs filesystem (requires privileged access).
Mitigation Strategies

The primary mitigation is to ensure that the allow.mount.nullfs option is not enabled in any jail configurations, preventing jailed processes from mounting nullfs filesystems.

Additionally, apply the official patches provided by FreeBSD to fix the kernel path lookup limitation that allows jail escapes.

  • Upgrade to patched FreeBSD stable or release branches dated after June 30, 2025 (for stable/14 and stable/13) or January 26-27, 2026 (for releng/14.3 and releng/13.5).
  • Use freebsd-update to apply updates on supported platforms.
  • Alternatively, download, verify, and apply source patches followed by recompiling the kernel.

No other workaround exists besides disabling allow.mount.nullfs or applying the patches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart