CVE-2025-15576
Directory Descriptor Leak in FreeBSD Jails Enables Jail Escape
Publication date: 2026-03-09
Last updated on: 2026-03-17
Assigner: FreeBSD
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-488 | The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. |
| CWE-790 | The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-15576 is a security vulnerability in FreeBSD's jail subsystem, which provides OS-level virtualization by restricting processes to isolated filesystem trees similar to chroot."}, {'type': 'paragraph', 'content': 'The vulnerability occurs when two sibling jails, each confined to separate filesystem roots, share a directory mounted via nullfs, a pseudo-filesystem that allows mounting a directory at another point in the filesystem hierarchy.'}, {'type': 'paragraph', 'content': 'Processes in these two jails can communicate over a Unix domain socket placed within the shared nullfs mount, which supports interprocess communication and allows the exchange of file descriptors.'}, {'type': 'paragraph', 'content': 'By exchanging directory file descriptors, a process in one jail can receive a descriptor pointing to a directory outside its own jail root. The kernel checks during filesystem path lookups if the lookup descends below the jail root, but if the directory descriptor is below the jail root but accessible via the shared nullfs mount, the kernel fails to prevent access.'}, {'type': 'paragraph', 'content': "This flaw enables a jailed process to escape its chroot-like confinement and gain full filesystem access beyond its jail boundaries, effectively breaking the jail's isolation guarantees."}, {'type': 'paragraph', 'content': 'Exploitation requires control over cooperating processes in two different jails sharing a nullfs mount with a Unix domain socket installed.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow a process confined within a FreeBSD jail to escape its restricted filesystem environment and gain full access to the broader filesystem outside its jail.
Such an escape breaks the isolation guarantees of the jail, potentially exposing sensitive files and system resources that were intended to be protected.
If exploited, attackers or malicious processes could bypass security controls, leading to unauthorized data access, privilege escalation, or further compromise of the system.
However, exploitation requires cooperation between processes in two different jails sharing a nullfs mount and a Unix domain socket, and the administrator must ensure unprivileged users cannot pass directory descriptors to jailed processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves processes in two sibling jails sharing a nullfs mount and communicating via a Unix domain socket to exchange directory descriptors, potentially allowing jail escape.
Detection would require verifying if two or more jails are configured with separate filesystem roots and share a directory mounted via nullfs.
Additionally, checking for Unix domain sockets within the shared nullfs mount that could be used for inter-jail communication is necessary.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade to patched FreeBSD stable or release branches dated after the correction dates: July 29, 2025 for stable/14, and February 24, 2026 for releng/14.3 and releng/13.5.
Updates can be applied using the freebsd-update utility for binary installations or by applying source code patches, recompiling the kernel, and rebooting.
Administrators should also ensure that unprivileged users on the host cannot pass directory descriptors to jailed processes, as this remains a prerequisite for exploitation even after patching.