CVE-2025-15547 (GCVE-0-2025-15547)
Vulnerability from cvelistv5 – Published: 2026-03-09 11:46 – Updated: 2026-03-10 18:59
VLAI?
Title
Jail escape by a privileged user via nullfs
Summary
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2026-01-27 23:00
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:59:30.204346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:59:55.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"jail"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p8",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p9",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"datePublic": "2026-01-27T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\n\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel\u0027s path lookup logic allows that user to escape the jail\u0027s chroot, yielding access to the full filesystem of the host or parent jail.\n\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail\u0027s filesystem root."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T11:46:51.973Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc"
}
],
"title": "Jail escape by a privileged user via nullfs",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-15547",
"datePublished": "2026-03-09T11:46:51.973Z",
"dateReserved": "2026-01-26T15:57:03.264Z",
"dateUpdated": "2026-03-10T18:59:55.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-15547\",\"sourceIdentifier\":\"secteam@freebsd.org\",\"published\":\"2026-03-09T12:16:11.403\",\"lastModified\":\"2026-03-17T15:55:08.573\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\\n\\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel\u0027s path lookup logic allows that user to escape the jail\u0027s chroot, yielding access to the full filesystem of the host or parent jail.\\n\\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail\u0027s filesystem root.\"},{\"lang\":\"es\",\"value\":\"Por defecto, los procesos enjaulados no pueden montar sistemas de archivos, incluyendo nullfs(4). Sin embargo, la opci\u00f3n allow.mount.nullfs permite montar sistemas de archivos nullfs, sujeto a comprobaciones de privilegios.\\n\\nSi un usuario privilegiado dentro de una jaula es capaz de montar directorios con nullfs, una limitaci\u00f3n de la l\u00f3gica de b\u00fasqueda de rutas del kernel permite a ese usuario escapar del chroot de la jaula, lo que otorga acceso al sistema de archivos completo del anfitri\u00f3n o de la jaula padre.\\n\\nEn una jaula configurada para permitir montajes de nullfs(4) desde dentro de la jaula, el usuario root enjaulado puede escapar de la ra\u00edz del sistema de archivos de la jaula.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"secteam@freebsd.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"947F561E-AD65-43B9-94C1-3109A3D35248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D1987F1-1E08-4B28-8D16-D25A091D99ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BEC1E8A0-0402-45F1-938D-FEFDCFC3E747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"D94457D6-738F-4ABB-BD46-F2B621531FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C38CB56-B80C-4D1B-9267-16E8F985B170\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"13DF1E38-5E8D-42FF-A4C5-092300864F3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"83A86F81-0965-4600-835A-496756137998\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"987E31A4-7E21-471E-A3EA-4E53FFDB3DFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FBFE8B3-DC7C-4394-B062-C40E201EC059\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D22B8C-36CF-4800-9673-0B0240558BDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"242FA2A8-5D7D-4617-A411-2651FF3A3E4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"40573F60-F3B7-4AEC-846A-B08E5B7D9D00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FB832CE-0A98-44A2-8BAC-CD38A64279B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A785F8E-C218-41AE-8D57-BF06DDAEF7CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"C3909FDD-B2A2-45B6-A40B-1D303A717F15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"720597A2-F181-46E1-8A0D-097E17ADC4FB\"}]}]}],\"references\":[{\"url\":\"https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc\",\"source\":\"secteam@freebsd.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15547\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T18:59:30.204346Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T18:58:43.372Z\"}}], \"cna\": {\"title\": \"Jail escape by a privileged user via nullfs\", \"affected\": [{\"vendor\": \"FreeBSD\", \"modules\": [\"jail\"], \"product\": \"FreeBSD\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.3-RELEASE\", \"lessThan\": \"p8\", \"versionType\": \"release\"}, {\"status\": \"affected\", \"version\": \"13.5-RELEASE\", \"lessThan\": \"p9\", \"versionType\": \"release\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-01-27T23:00:00.000Z\", \"references\": [{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\\n\\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel\u0027s path lookup logic allows that user to escape the jail\u0027s chroot, yielding access to the full filesystem of the host or parent jail.\\n\\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail\u0027s filesystem root.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"shortName\": \"freebsd\", \"dateUpdated\": \"2026-03-09T11:46:51.973Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-15547\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T18:59:55.413Z\", \"dateReserved\": \"2026-01-26T15:57:03.264Z\", \"assignerOrgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"datePublished\": \"2026-03-09T11:46:51.973Z\", \"assignerShortName\": \"freebsd\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…