-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:04.jail Security Advisory
The FreeBSD Project
Topic: Jail chroot escape via fd exchange with a different jail
Category: core
Module: jail
Announced: 2026-02-24
Affects: FreeBSD 14.3 and 13.5.
Corrected: 2025-07-29 12:49:03 UTC (stable/14, 14.3-STABLE)
2026-02-24 16:01:32 UTC (releng/14.3, 14.3-RELEASE-p9)
2026-02-09 20:44:00 UTC (stable/13, 13.4-STABLE)
2026-02-24 16:04:42 UTC (releng/13.5, 13.5-RELEASE-p10)
CVE Name: CVE-2025-15576
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Jails are an operating system virtualization technology which allow
administrators to confine processes within an environment with limited ability
to affect the system outside of that environment. In particular, jailed
processes typically have their filesystem access restricted by a chroot-like
mechanism.
nullfs(4) is a pseudo-filesystem which allows a directory to be mounted at
another point in the filesystem hierarchy.
unix domain sockets are a mechanism for interprocess communication. They
behave similarly to Internet sockets but are identified by names in the local
filesystem. unix domain sockets allow processes to exchange file descriptors
using control messages.
II. Problem Description
If two sibling jails are restricted to separate filesystem trees, which is to
say that neither of the two jail root directories is an ancestor of the other,
jailed processes may nonetheless be able to access a shared directory via a
nullfs mount, if the administrator has configured one.
In this case, cooperating processes in the two jails may establish a connection
using a unix domain socket and exchange directory descriptors with each other.
When performing a filesystem name lookup, at each step of the lookup, the
kernel checks whether the lookup would descend below the jail root of the
current process. If the jail root directory is not encountered, the lookup
continues.
III. Impact
In a configuration where processes in two different jails are able to exchange
file descriptors using a unix domain socket, it is possible for a jailed
process to receive a directory for a descriptor that is below that process'
jail root. This enables full filesystem access for a jailed process, breaking
the chroot.
Note that the system administrator is still responsible for ensuring that an
unprivileged user on the jail host is not able to pass directory descriptors
to a jailed process, even in a patched kernel.
IV. Workaround
No workaround is available. Note that in order to exploit this problem, an
attacker requires control over processes in two jails which share a nullfs
mount in which a unix socket can be installed.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch.asc
# gpg --verify jail-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch
# fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch.asc
# gpg --verify jail-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 3ad3ab5f9b6e stable/14-n272076
releng/14.3/ fbc35b3e6615 releng/14.3-n271471
stable/13/ 73530e4c2ea9 stable/13-n259752
releng/13.5/ e6b96891ef7c releng/13.5-n259202
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmd0NwACgkQbljekB8A
Gu9WrxAAzgjxobnwhy+3RrD4XSOViKv7Dk6va/cqZtiP+SEv1lwM86P4aeUbqCOL
XPGItri1El9gQoBYsLS/b5ODbevV/CBaTeZbGwm129B9xdrJ4lQgQrDBh3qgo55k
OxQTnZbJgnF0YtjcSnkC+oWs4selpADEevEe2ohVUrV4OjXjVoCc3hVibPPwFh+8
G5lPqcI26kXXimjb+zC+5yFQwNy/an9sYeiVnYceCuAOxxoV0Uf23Z5Ndc5oPBUD
lYMfrfuqmuhX6AtxTSU7x4BDx4MGTDIMYjU/LXptzMI5bpvqUy4F4lqx0t8vXV8F
T8vpbzGt8uhyRoD9Wp9LCIS7PpjBNm3YINY4Zd9z46tiC5ItTSV5mkJzatDB2zW+
4iMcFQxHFGksHyrGn3epYKm1C3NtbKc5lEVHnKZqg11H2xUtDkTRn8AVcy8a9Bh+
FDo1+yAb96W5by9UGA7nCdF8xwr9+ea/k6JDDfHxgVsOKzOgXsh7wmJ686kTIT2I
2REIMLY79xs50Lii5EMvN1oSjXxb7+WFphe+XCoH39JDTI3ekg7EpnFHcXLzMaVt
rciDlmPBU8h5A8U8GyI359DbIlha2IY5R2yC/opHUkOq/wBDJUZcL2y41BEH11jb
uFxRavagcRePVrSHSuXOH1vSdmsdrtl/h7HBP83J4X6ZG3nnr90=
=cwB8
-----END PGP SIGNATURE-----