CVE-2025-15576 Jail chroot escape via fd exchange with a different jail

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. In this...

CVE-2025-15576

CVE-2025-15576 describes a jail/chroot escape in FreeBSD. When two sibling jails are restricted to separate filesystem trees, processes in the two jails can still exchange directory descriptors via a unix domain socket and access a shared directory mounted with nullfs. During a filesystem name lo...

CVE-2025-15576 Jail chroot escape via fd exchange with a different jail

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. In this...

CVE-2025-15547 Jail escape by a privileged user via nullfs

By default, jailed processes cannot mount filesystems, including nullfs4. However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic...

CVE-2025-15547 Jail escape by a privileged user via nullfs

By default, jailed processes cannot mount filesystems, including nullfs4. However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic...

FreeBSD : FreeBSD -- Jail chroot escape via fd exchange with a different jail (a88f5b2d-11e9-11f1-8148-bc241121aa0a)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a88f5b2d-11e9-11f1-8148-bc241121aa0a advisory. If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the t...

FreeBSD-SA-26:04.jail

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:04.jail Security Advisory The FreeBSD Project Topic: Jail chroot escape via fd exchange with a different jail Category: core Module: jail Announced:...

FreeBSD -- Jail chroot escape via fd exchange with a different jail

Problem Description: If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has...

📄 sudo 1.9.17 chroot Privilege Escalation

This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality. The vulnerability allows attackers to load malicious NSS Name Service Switch modules from within a chroot environment, leading to arbitrary code execution as root...

Exploit for Inclusion of Functionality from Untrusted Control Sphere in Sudo_Project Sudo

CVE-2025-32463: Sudo Privilege Escalation chroot Este repos...

Exploit for Inclusion of Functionality from Untrusted Control Sphere in Sudo_Project Sudo

Heavily influenced/copied/based on the format of a similar repo...

CVE-2026-21620

A flaw was found in Erlang OTP tftpfile modules. This vulnerability allows an attacker to exploit a weakness in how file paths are handled, known as Relative Path Traversal. By manipulating these paths, an attacker could gain unauthorized access to sensitive files on the system, potentially leadi...

MiracleLinux 8 : container-tools:2.0 (AXSA:2021-2807:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2807:01 advisory. buildah: Host environment variables leaked in build container when using chroot isolation CVE-2021-3602 Tenable has extracted the preceding description block...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001045)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001045 advisory. The prependpath function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002340)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002340 advisory. The prependpath function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001946)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001946 advisory. The prependpath function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002457)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002457 advisory. The pivotroot implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows...

MiracleLinux 3 : bind-9.3.6-20.P1.4.0.1.AXS3 (AXSA:2012-942:04)

"The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2012-942:04 advisory. BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names ...

CVE-2023-49788

Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a standalone dedicated Collabora Online server, the Built-in CODE Server richdocumentscode is run without chroot sandboxing. Vulnerable versions of the richdocumentscode app can be susceptible to attac...

PT-2026-28560

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0 Description Incus, a system container and virtual machine manager, allows instance template files to be used to perform arbitrary read and write operations as root on the host server. The software utilizes pongo2...