Cyber Resilience

CVE-2025-15576

HighLPE

Published: 09 March 2026

Published
09 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0002 6.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15576 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-4 (Information in Shared System Resources).

Deeper analysis

CVE-2025-15576 is a jail isolation bypass vulnerability in the FreeBSD kernel's jail subsystem. It affects configurations where two sibling jails are restricted to separate filesystem trees—meaning neither jail root directory is an ancestor of the other—but a shared directory is accessible via a nullfs mount. In such setups, jailed processes can exchange directory file descriptors over a unix domain socket connection. During filesystem name lookups, the kernel fails to properly validate if a descriptor-referenced directory descends below the current process's jail root, enabling access to paths outside the jail's chroot boundary.

Exploitation requires local access (AV:L) with low privileges (PR:L) and high attack complexity (AC:H), typically involving cooperating processes across the two sibling jails to establish a unix domain socket and pass directory descriptors. Successful exploitation grants the jailed process full filesystem access, resulting in high confidentiality (C:H) and integrity (I:H) impacts with changed scope (S:C) but no availability impact (A:N), as scored at CVSS 7.5 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N). The vulnerability is linked to CWE-269 (Privilege Context Switching Error), CWE-488 (Exposure of Data Element to Wrong Session), and CWE-790 (Incomplete Filtering of File Descriptors).

The FreeBSD Security Advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:04.jail.asc details the issue and provides patches. Even with patches applied, administrators must ensure unprivileged users on the jail host cannot pass directory descriptors to jailed processes.

EU & UK References

Vulnerability details

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via…

more

a nullfs mount, if the administrator has configured one. In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other. When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues. In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot. Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Jail isolation bypass via kernel descriptor validation flaw directly enables container-like escape (T1611) and local privilege escalation (T1068) to full host filesystem access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15547Same product: Freebsd Freebsd
CVE-2026-6386Same product: Freebsd Freebsd
CVE-2026-45253Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd
CVE-2026-39461Same product: Freebsd Freebsd
CVE-2026-45250Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd
CVE-2026-5398Same product: Freebsd Freebsd
CVE-2026-45251Same product: Freebsd Freebsd
CVE-2026-35547Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through application of the FreeBSD kernel patch directly corrects the filesystem name lookup validation failure for exchanged directory descriptors in jails.

prevent

Prevents unauthorized transfer of directory file descriptors between sibling jails via shared system resources such as nullfs mounts and unix domain sockets.

prevent

Enforces process isolation to block cooperating jailed processes from bypassing chroot boundaries through descriptor exchange over unix domain sockets.

References