Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

FreeBSD jail/chroot escape via directory file descriptor exchange across sibling jails

IdentifiersCVE-2025-15576CWE-863

CVE-2025-15576 is a FreeBSD jail subsystem flaw that can allow a jailed process to escape filesystem confinement (chroot-style restrictions) when directory file descriptors are exchanged between two sibling jails. In the vulnerable design, the kernel’s pathname lookup enforces jail-root containment by checking at each step whether traversal would descend below the current process’ jail root; if the jail root is not encountered, lookup continues. In a configuration where two sibling jails (with non-ancestor jail roots) share a directory via a nullfs mount and can communicate over a Unix domain socket, cooperating processes can pass directory descriptors. A process can receive a directory file descriptor that is outside/below its own jail root, and subsequent name lookups starting from that descriptor can bypass the jail-root containment checks, resulting in full filesystem access and effectively breaking jail/chroot isolation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in a jail/chroot escape with full filesystem access from within the jail, enabling unauthorized read/write access to the host (or otherwise out-of-jail) filesystem. This can facilitate modification of critical system files, data theft, and follow-on actions that may lead to broader host compromise depending on other local conditions and privileges.

Mitigation

If you can’t patch tonight, do this now.

No workaround is available per the advisory. Reduce exploitability by avoiding configurations where sibling jails share a nullfs-mounted directory that permits creation/use of Unix domain sockets and file-descriptor passing between jails. Additionally, ensure unprivileged users on the jail host cannot pass directory descriptors to jailed processes (this remains an administrative responsibility even after patching).

Remediation

Patch, then assume compromise.

Apply FreeBSD’s corrected code (a stable or releng/release-security branch dated after the correction date). For RELEASE systems, use freebsd-update fetch and freebsd-update install, then reboot. For source-based systems, apply the vendor patches (jail-14.patch for FreeBSD 14.3; jail-13.patch for FreeBSD 13.5) from https://security.FreeBSD.org/patches/SA-26:04/, rebuild the kernel, and reboot.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting FreeBSD).

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting FreeBSD; no technical details provided in the content).

Read more
ca ccsNews
Feb 27, 2026
FreeBSD security advisory (AV26-179) - Canadian Centre for Cyber Security

A FreeBSD jail/chroot escape vulnerability involving file descriptor (fd) exchange between different jails, potentially allowing an attacker to break out of confinement.

Read more
cyber security newsNews
Feb 27, 2026
FreeBSD Vulnerability Allow Attackers to Crash the Entire System

A critical FreeBSD core jail subsystem vulnerability enabling a jail/chroot escape via directory file descriptor exchange across sibling jails (e.g., over a Unix domain socket) when sharing a directory via nullfs, resulting in loss of filesystem isolation and access to the host filesystem.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-15576
NVD
nvd.nist.gov/vuln/detail/CVE-2025-15576
MITRE CWE · CWE-863
cwe.mitre.org
Vendor Advisory
security.freebsd.org/advisories/FreeBSD-SA-26:04.jail.asc