Unrated severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026
Jail escape by a privileged user via nullfs
CVE-2025-15547
Description
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
1- security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.ascmitrevendor-advisory
News mentions
0No linked articles in our index yet.