Cyber Resilience

CVE-2025-15547

HighLPE

Published: 09 March 2026

Published
09 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0011 1.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15547 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-15547 is a jail escape vulnerability in FreeBSD's kernel, affecting the jail subsystem and nullfs(4) filesystem mounting. By default, processes within a FreeBSD jail cannot mount filesystems, but the allow.mount.nullfs jail parameter enables nullfs mounts subject to privilege checks. A flaw in the kernel's path lookup logic allows a privileged user inside such a jail to mount directories in a way that bypasses the jail's chroot restriction, providing access to the full filesystem of the host or parent jail.

The vulnerability can be exploited by a local attacker with low privileges (PR:L) who has root access within a jail configured to allow nullfs mounts (allow.mount.nullfs). Exploitation requires low attack complexity (AC:L) with no user interaction (UI:N) and local access (AV:L). Successful exploitation changes the scope (S:C) and grants high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), enabling the jailed root user to fully escape the jail's filesystem root.

The FreeBSD Security Advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc provides details on patches and mitigation recommendations for this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup…

more

logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Jail escape via kernel path lookup flaw in nullfs mounts directly enables host breakout (T1611) from jailed root and local privilege escalation via vulnerability exploitation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15576Same product: Freebsd Freebsd
CVE-2026-6386Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd
CVE-2026-45251Same product: Freebsd Freebsd
CVE-2026-39461Same product: Freebsd Freebsd
CVE-2026-45253Same product: Freebsd Freebsd
CVE-2026-45250Same product: Freebsd Freebsd
CVE-2026-5398Same product: Freebsd Freebsd
CVE-2026-35547Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the kernel flaw in path lookup logic exploited for jail escape via nullfs mounts by requiring timely patching.

prevent

Enforces secure configuration of jail parameters like allow.mount.nullfs to be disabled, preventing the prerequisite for exploitation.

prevent

Restricts jails to least functionality by prohibiting unnecessary nullfs mounts, mitigating the ability to perform the vulnerable operation.

References