CVE-2025-15576
Published: 09 March 2026
Summary
CVE-2025-15576 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Jail isolation bypass via kernel descriptor validation flaw directly enables container-like escape (T1611) and local privilege escalation (T1068) to full host filesystem access.
NVD Description
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via…
more
a nullfs mount, if the administrator has configured one. In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other. When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues. In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot. Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.
Deeper analysisAI
CVE-2025-15576 is a jail isolation bypass vulnerability in the FreeBSD kernel's jail subsystem. It affects configurations where two sibling jails are restricted to separate filesystem trees—meaning neither jail root directory is an ancestor of the other—but a shared directory is accessible via a nullfs mount. In such setups, jailed processes can exchange directory file descriptors over a unix domain socket connection. During filesystem name lookups, the kernel fails to properly validate if a descriptor-referenced directory descends below the current process's jail root, enabling access to paths outside the jail's chroot boundary.
Exploitation requires local access (AV:L) with low privileges (PR:L) and high attack complexity (AC:H), typically involving cooperating processes across the two sibling jails to establish a unix domain socket and pass directory descriptors. Successful exploitation grants the jailed process full filesystem access, resulting in high confidentiality (C:H) and integrity (I:H) impacts with changed scope (S:C) but no availability impact (A:N), as scored at CVSS 7.5 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N). The vulnerability is linked to CWE-269 (Privilege Context Switching Error), CWE-488 (Exposure of Data Element to Wrong Session), and CWE-790 (Incomplete Filtering of File Descriptors).
The FreeBSD Security Advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:04.jail.asc details the issue and provides patches. Even with patches applied, administrators must ensure unprivileged users on the jail host cannot pass directory descriptors to jailed processes.
Details
- CWE(s)