CVE-2025-15547
Published: Mar 9, 2026
Modified: Mar 10, 2026
Description
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
| Vendor | Product | Versions |
|---|---|---|
FreeBSD | FreeBSD | affected 14.3-RELEASE - < p8affected 13.5-RELEASE - < p9 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now