CVE-2025-15547
Jail escape by a privileged user via nullfs
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
| CWE | CWE-269 |
| Vendor | freebsd |
| Product | freebsd |
| Published | Mar 9, 2026 |
| Last Updated | Mar 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for freebsd freebsd
Be the first to know when new high vulnerabilities affecting freebsd freebsd are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FreeBSD / FreeBSD
14.3-RELEASE < p8 13.5-RELEASE < p9