CVE-2025-15576 – FreeBSD Jail Escape via File Descriptor Exchange

This patch addresses a serious vulnerability in the FreeBSD jail subsystem tracked as CVE-2025-15576. The issue affects FreeBSD 14.3 and FreeBSD 13.5 and allows a jailed process to escape its restricted environment and gain access to the host system’s filesystem.

The flaw occurs when two sibling jails share a directory using a nullfs mount and communicate through a Unix domain socket. In this configuration, processes can exchange directory file descriptors. Due to improper validation during filesystem name lookups, the kernel may allow a process inside a jail to obtain a directory descriptor outside its assigned root. This breaks the fundamental isolation model of FreeBSD jails and enables unauthorized access to sensitive host files and system resources.

CVE-2025-15576 carries a CVSS v3.1 score of 7.0 (High). Successful exploitation can lead to a complete breakdown of filesystem isolation, allowing attackers to read or modify system files, extract sensitive data, or pivot into further privilege escalation attacks on the host system. A security update corrects the descriptor validation logic in the jail subsystem to enforce proper filesystem boundary checks.

No verified reports currently confirm active exploitation in the wild or publicly released proof-of-concept code.