CVE-2025-15547
Published: 09 March 2026
Summary
CVE-2025-15547 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the kernel flaw in path lookup logic exploited for jail escape via nullfs mounts by requiring timely patching.
Enforces secure configuration of jail parameters like allow.mount.nullfs to be disabled, preventing the prerequisite for exploitation.
Restricts jails to least functionality by prohibiting unnecessary nullfs mounts, mitigating the ability to perform the vulnerable operation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Jail escape via kernel path lookup flaw in nullfs mounts directly enables host breakout (T1611) from jailed root and local privilege escalation via vulnerability exploitation (T1068).
NVD Description
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup…
more
logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
Deeper analysisAI
CVE-2025-15547 is a jail escape vulnerability in FreeBSD's kernel, affecting the jail subsystem and nullfs(4) filesystem mounting. By default, processes within a FreeBSD jail cannot mount filesystems, but the allow.mount.nullfs jail parameter enables nullfs mounts subject to privilege checks. A flaw in the kernel's path lookup logic allows a privileged user inside such a jail to mount directories in a way that bypasses the jail's chroot restriction, providing access to the full filesystem of the host or parent jail.
The vulnerability can be exploited by a local attacker with low privileges (PR:L) who has root access within a jail configured to allow nullfs mounts (allow.mount.nullfs). Exploitation requires low attack complexity (AC:L) with no user interaction (UI:N) and local access (AV:L). Successful exploitation changes the scope (S:C) and grants high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), enabling the jailed root user to fully escape the jail's filesystem root.
The FreeBSD Security Advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc provides details on patches and mitigation recommendations for this issue.
Details
- CWE(s)