{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15547", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-01-26T15:57:03.264Z", "datePublished": "2026-03-09T11:46:51.973Z", "dateUpdated": "2026-03-10T18:59:55.413Z"}, "containers": {"cna": {"datePublic": "2026-01-27T23:00:00.000Z", "title": "Jail escape by a privileged user via nullfs", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["jail"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"lessThan": "p8", "status": "affected", "version": "14.3-RELEASE", "versionType": "release"}, {"lessThan": "p9", "status": "affected", "version": "13.5-RELEASE", "versionType": "release"}]}], "descriptions": [{"lang": "en", "value": "By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\n\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.\n\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-09T11:46:51.973Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:59:30.204346Z", "id": "CVE-2025-15547", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:59:55.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15547", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T18:59:30.204346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:58:43.372Z"}}], "cna": {"title": "Jail escape by a privileged user via nullfs", "affected": [{"vendor": "FreeBSD", "modules": ["jail"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "14.3-RELEASE", "lessThan": "p8", "versionType": "release"}, {"status": "affected", "version": "13.5-RELEASE", "lessThan": "p9", "versionType": "release"}], "defaultStatus": "unknown"}], "datePublic": "2026-01-27T23:00:00.000Z", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\n\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.\n\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-09T11:46:51.973Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15547", "state": "PUBLISHED", "dateUpdated": "2026-03-10T18:59:55.413Z", "dateReserved": "2026-01-26T15:57:03.264Z", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "datePublished": "2026-03-09T11:46:51.973Z", "assignerShortName": "freebsd"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.\n\nIf a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.\n\nIn a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root."}, {"lang": "es", "value": "Por defecto, los procesos enjaulados no pueden montar sistemas de archivos, incluyendo nullfs(4). Sin embargo, la opci\u00f3n allow.mount.nullfs permite montar sistemas de archivos nullfs, sujeto a comprobaciones de privilegios.\n\nSi un usuario privilegiado dentro de una jaula es capaz de montar directorios con nullfs, una limitaci\u00f3n de la l\u00f3gica de b\u00fasqueda de rutas del kernel permite a ese usuario escapar del chroot de la jaula, lo que otorga acceso al sistema de archivos completo del anfitri\u00f3n o de la jaula padre.\n\nEn una jaula configurada para permitir montajes de nullfs(4) desde dentro de la jaula, el usuario root enjaulado puede escapar de la ra\u00edz del sistema de archivos de la jaula."}], "id": "CVE-2025-15547", "lastModified": "2026-03-10T20:16:19.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-09T12:16:11.403", "references": [{"source": "secteam@freebsd.org", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:02.jail.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}