CVE-2025-15576 Overview
CVE-2025-15576 is a privilege escalation vulnerability affecting FreeBSD's jail isolation mechanism. The vulnerability allows jailed processes to bypass filesystem restrictions when sibling jails share a directory via a nullfs mount. By exchanging directory descriptors through unix domain sockets, cooperating processes in separate jails can achieve full filesystem access, effectively breaking the chroot isolation that jails are designed to enforce.
The vulnerability stems from how the FreeBSD kernel performs filesystem name lookups. During each step of a lookup operation, the kernel checks whether the path would descend below the jail root of the current process. However, when a jailed process receives a directory descriptor from another jail via a unix domain socket, that descriptor may reference a location below the receiving process's jail root. This bypasses the normal lookup restrictions and grants unauthorized filesystem access.
Critical Impact
Jailed processes can escape their filesystem restrictions, gaining full access to the host filesystem and potentially compromising all jails on the system.
Affected Products
- FreeBSD systems with jail configurations
- Systems using nullfs mounts shared between sibling jails
- Environments where jailed processes can communicate via unix domain sockets
Discovery Timeline
- 2026-03-09 - CVE CVE-2025-15576 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2025-15576
Vulnerability Analysis
This vulnerability represents a fundamental weakness in FreeBSD's jail isolation architecture when specific administrative configurations are in place. The jail subsystem relies on ensuring that filesystem operations cannot traverse outside the designated jail root. However, the file descriptor exchange mechanism via unix domain sockets was not adequately constrained within this security model.
When two sibling jails are configured with separate filesystem trees (meaning neither jail root is an ancestor of the other), they should be completely isolated from each other's filesystem hierarchies. The vulnerability emerges when an administrator configures a shared directory using nullfs mounts. This shared access point allows processes in both jails to establish unix domain socket connections and exchange file descriptors, including directory descriptors.
The critical flaw occurs during filesystem name lookups. While the kernel correctly validates that standard path traversals don't escape the jail root, it fails to adequately validate directory descriptors received through inter-jail communication. A malicious jailed process receiving such a descriptor can use it to access filesystem locations entirely outside its designated jail boundaries.
Root Cause
The root cause is classified under CWE-269 (Improper Privilege Management). The FreeBSD kernel's filesystem lookup validation does not account for directory descriptors exchanged between jails via unix domain sockets. When performing name lookups, the kernel checks for jail root boundary violations at each traversal step, but this validation is bypassed when a jailed process operates on a directory descriptor that was received from another jail and references a location outside the receiving process's jail root.
Attack Vector
The attack requires local access and a specific system configuration where:
- Two or more sibling jails exist with separate filesystem roots
- A nullfs mount creates a shared directory accessible to multiple jails
- Processes in different jails can establish unix domain socket connections
The attack works through the following mechanism:
A process in Jail A obtains a directory descriptor for a location outside Jail B's root directory. Using the unix domain socket established through the shared nullfs mount, Jail A sends this descriptor to a cooperating process in Jail B. When Jail B's process performs filesystem operations using the received descriptor, it can access locations entirely outside its designated jail root, achieving full filesystem access and breaking the chroot isolation.
This is a local attack vector requiring cooperation between processes in different jails. While the attack complexity is high due to the specific configuration requirements, successful exploitation results in complete bypass of jail filesystem isolation with significant confidentiality and integrity impacts.
Detection Methods for CVE-2025-15576
Indicators of Compromise
- Unexpected unix domain socket connections between processes in different jails
- File access patterns showing jailed processes accessing paths outside their designated root
- Audit logs indicating file descriptor passing between processes in separate jails
- Anomalous filesystem operations originating from jailed processes targeting shared nullfs mount points
Detection Strategies
- Enable FreeBSD security event auditing to monitor inter-jail communications and file descriptor exchanges
- Implement filesystem access monitoring to detect jailed processes accessing unexpected paths
- Review jail configurations for nullfs mounts that create shared access points between sibling jails
- Monitor for unix domain socket creation within nullfs-mounted shared directories
Monitoring Recommendations
- Deploy host-based intrusion detection to identify jail escape attempts
- Configure audit rules specifically targeting sendmsg() and recvmsg() system calls with SCM_RIGHTS ancillary messages between jailed processes
- Establish baseline behavior for inter-jail communications and alert on deviations
- Regularly audit jail configurations to identify potentially vulnerable nullfs mount setups
How to Mitigate CVE-2025-15576
Immediate Actions Required
- Review all jail configurations for nullfs mounts that create shared directories between sibling jails
- Restrict or eliminate unix domain socket communication paths between different jails where possible
- Apply the FreeBSD security patch as referenced in the FreeBSD Security Advisory
- Ensure unprivileged users on the jail host cannot pass directory descriptors to jailed processes
Patch Information
FreeBSD has released a security update addressing this vulnerability. System administrators should apply the patch referenced in FreeBSD-SA-26:04.jail.asc. Note that even with the patch applied, administrators remain responsible for ensuring that unprivileged host users cannot pass directory descriptors to jailed processes.
Workarounds
- Remove or reconfigure nullfs mounts that create shared directories between sibling jails
- Implement strict network isolation between jails to prevent unix domain socket communication
- Configure jails with allow.sysvipc=0 and restrict socket creation where operationally feasible
- Consider using separate physical or virtual machines instead of sibling jails for workloads requiring strong isolation
# Review jail configurations for nullfs mounts
mount | grep nullfs
# Check for unix domain sockets in shared directories
find /path/to/shared/directory -type s
# Audit jail configurations
jls -v
# Consider restricting socket permissions in jail.conf
# Example jail.conf restriction (apply as appropriate):
# jail_name {
# allow.socket_af = 0;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
