CVE-2025-15547

EUVD-2025-208407

09.03.2026, 12:16

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.

If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.

In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
freebsd	freebsd	13.5
freebsd	freebsd	13.5:p1
freebsd	freebsd	13.5:p2
freebsd	freebsd	13.5:p3
freebsd	freebsd	13.5:p4
freebsd	freebsd	13.5:p5
freebsd	freebsd	13.5:p6
freebsd	freebsd	13.5:p7
freebsd	freebsd	13.5:p8
freebsd	freebsd	14.3
freebsd	freebsd	14.3:p1
freebsd	freebsd	14.3:p2
freebsd	freebsd	14.3:p3
freebsd	freebsd	14.3:p4
freebsd	freebsd	14.3:p5
freebsd	freebsd	14.3:p6
freebsd	freebsd	14.3:p7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc