FreeBSD Patches Critical Jail Escape Vulnerability CVE-2025-15576

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

FreeBSD administrators must patch CVE-2025-15576 immediately. This critical flaw lets attackers escape jail environments to access the host filesystem. Attackers need control of processes in two sibling jails sharing a nullfs mount. The FreeBSD Project disclosed it on February 24, 2026.

Jails provide OS-level isolation like chroot but stronger. They limit processes to specific filesystems. CVE-2025-15576 breaks this through Unix domain sockets. Malicious processes exchange directory file descriptors across jails. The kernel fails to stop filesystem lookups outside jail boundaries.

No crashes occur despite the title. Attackers gain full root filesystem access instead. They read sensitive files, modify configs, or steal data. Privilege escalation follows easily.

Vulnerability Details

The flaw hits core jail subsystems. Specific configs trigger escape.

DetailInformation
CVE IDCVE-2025-15576
TypeJail/chroot escape via fd exchange
ComponentCore Jail Subsystem
DisclosureFebruary 24, 2026
AffectedFreeBSD 14.3, 13.5
CVSS ScoreCritical (exact score pending)
WorkaroundNone available

Attack Requirements

Exploitation needs precise setup:

  • Two sibling jails share nullfs mount
  • Attacker controls processes in both
  • Unix domain socket connects them
  • Directory file descriptors exchange

Unprivileged users cannot pass fds normally. Jail configs must allow socket communication. Shared mounts create the gap.

Impact Scope

Attackers reach beyond jail roots. They access:

  • Host /etc configs
  • SSH keys and credentials
  • Application databases
  • System logs

Full host compromise follows. No user interaction needed beyond initial access.

Patch Instructions

Binary installs update easily:

freebsd-update fetch
freebsd-update install
reboot

Source builds need kernel recompilation. Verify patch date after February 24, 2026. Test jails post-reboot.

Review nullfs mount configs. Limit cross-jail socket access. Block untrusted processes from fd passing.

Secure Configuration

Prevent future escapes:

  • Avoid nullfs mounts between sibling jails
  • Disable Unix sockets across jails
  • Restrict fd passing to privileged users
  • Monitor jail process communication
  • Audit shared mount configurations

FAQ

What does CVE-2025-15576 do?

Allows jail escape to host filesystem via fd exchange.

Which FreeBSD versions need patches?

14.3 and 13.5 release branches.

Can attackers crash systems?

No. They gain filesystem access instead.

Is there a temporary fix?

No. Patch immediately via freebsd-update.

What configs trigger the flaw?

Sibling jails with nullfs mounts and Unix sockets.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages