Administrators must urgently patch a critical vulnerability that allows attackers to escape isolated jail environments.
Tracked as CVE-2025-15576, the flaw enables a dangerous jailbreak condition despite often being associated with system crashes.
It enables a jailed process to bypass its restricted environment and gain full, unauthorized access to the host’s underlying filesystem.
FreeBSD jails are a form of operating system virtualization that securely isolates processes. They use a chroot-like mechanism to restrict a process’s access to files and directories.
However, CVE-2025-15576 exposes a critical flaw in how directory file descriptors are handled when two separate sibling jails interact. The vulnerability occurs under a very specific system configuration.
If an administrator configures two sibling jails to share a directory via a nullfs mount, cooperating processes in these jails can establish a connection via a Unix domain socket.
| Technical Metadata | Details |
|---|---|
| Vulnerability ID | CVE-2025-15576 |
| Vulnerability Type | Jail / chroot escape via file descriptor (fd) exchange across jails |
| Affected Component | Core Jail Subsystem |
| Disclosure Date | February 24, 2026 |
| Affected Versions | FreeBSD 14.3, FreeBSD 13.5 |
| Mitigation | No workaround available; patch required |
Through this socket, malicious processes can exchange directory descriptors. During the normal filesystem name lookup process, the kernel checks whether a directory descends below the jail root.
However, because of this flaw, the kernel fails to properly halt the lookup when directory descriptors are exchanged via the socket.
Consequently, a process can successfully receive a file descriptor for a directory completely outside its restricted jail tree.
The primary impact of this flaw is the total loss of filesystem isolation. If an attacker controls processes in two jails that share a nullfs mount and a Unix domain socket, they can pass directory descriptors back and forth to break the chroot limitation. Once outside the jail environment, the attacker gains full filesystem access.
They can reach the root filesystem, modify critical system files, exfiltrate sensitive data, or launch further attacks to escalate privileges on the host machine.
It is important to note that administrators must ensure unprivileged users cannot pass directory descriptors to jailed processes.
Currently, no temporary workarounds are available to mitigate this vulnerability. Administrators must immediately upgrade their FreeBSD systems to the patched release branches.
For systems installed from binary distribution sets (such as RELEASE versions of FreeBSD 14.3 or 13.5), administrators can deploy the fix using the built-in update utility.
Running freebsd-update fetch, followed by freebsd-update install, will securely apply the patch. A system reboot is strictly required for the security update to take effect.
For environments managing source code installations, administrators must download the relevant patch from the official FreeBSD security portal, verify its PGP signature, and recompile the kernel.
To ensure complete protection, verify that your system is running a patched kernel dated after February 24, 2026.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
