CVE-2025-15576 Jail chroot escape via fd exchange with a different jail

🗓️ 09 Mar 2026 11:54:20Reported by freebsdType

CVE-2025-15576: Jail chroot escape via exchanging directory descriptors between jails using unix sockets and nullfs.

Reporter	Title	Published	Views	Family All 14
FreeBSD	FreeBSD -- Jail chroot escape via fd exchange with a different jail	24 Feb 202600:00	–	freebsd
Circl	CVE-2025-15576	27 Feb 202616:51	–	circl
CNNVD	FreeBSD 安全漏洞	9 Mar 202600:00	–	cnnvd
CVE	CVE-2025-15576	9 Mar 202611:54	–	cve
EUVD	EUVD-2025-208409	9 Mar 202612:31	–	euvd
EUVD	EUVD-2025-208410	9 Mar 202612:31	–	euvd
FreeBSD Advisory	FreeBSD-SA-26:04.jail	24 Feb 202600:00	–	freebsd_advisory
Tenable Nessus	FreeBSD : FreeBSD -- Jail chroot escape via fd exchange with a different jail (a88f5b2d-11e9-11f1-8148-bc241121aa0a)	28 Feb 202600:00	–	nessus
NVD	CVE-2025-15576	9 Mar 202612:16	–	nvd
Packet Storm News	FreeBSD Security Advisory - FreeBSD-SA-26:04.jail	24 Feb 202600:00	–	packetstormnews

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "jail"
    ],
    "product": "FreeBSD",
    "vendor": "FreeBSD",
    "versions": [
      {
        "lessThan": "p9",
        "status": "affected",
        "version": "14.3-RELEASE",
        "versionType": "release"
      },
      {
        "lessThan": "p10",
        "status": "affected",
        "version": "13.5-RELEASE",
        "versionType": "release"
      }
    ]
  }
]

Source	Link
security	www.security.freebsd.org/advisories/FreeBSD-SA-26:04.jail.asc

09 Mar 2026 11:54Current

EPSS0.00111

directory descriptors jail escape chroot escape unix domain sockets nullfs mount sibling jails filesystem access