On 27 January 2026 the FreeBSD project released security advisory FreeBSD-SA-26:02.jail, fixing CVE-2025-15547. The flaw lets a privileged user inside a jail escape its filesystem root (the jail’s chroot) and reach the full filesystem of the host or parent jail.
What the vulnerability is
Jails are FreeBSD’s lightweight virtualization and isolation mechanism, used widely to confine services and environments. By default a jail cannot mount filesystems. An administrator can grant that ability explicitly through options such as allow.mount and, specifically, allow.mount.nullfs, which enables mounting directories through the nullfs(4) pseudo-filesystem.
The advisory explains that when a jail is configured to allow nullfs mounts from within, a limitation in the kernel’s path lookup logic lets the jailed root user mount directories in a way that escapes the chroot bounding the jail. The attacker is then no longer confined and gains access to the host’s directory tree.
Who is affected
The issue affects FreeBSD 13.5 and 14.3 (the supported versions listed in the advisory). The key requirement is that the jail has allow.mount.nullfs enabled. Standard jail configurations, which do not permit nullfs mounts from inside, are not vulnerable.
That narrows the scope quite a bit. Only systems where an administrator has deliberately granted nullfs mounting to a jail are exposed, which is usually done for specific scenarios such as flexibly sharing host directories. Even then the consequences are serious, because the flaw breaks the jail’s primary guarantee: isolation.
Severity
The advisory assigns no CVSS score, but the impact is high in security-model terms. A jail escape defeats confinement and can turn a limited compromise inside the jail into full access to the host. Anyone who already holds root privileges inside the jail, whether by multi-user design or after compromising a service running as root, can pivot to the host system.
Mitigation and patch
The advisory states plainly that no workaround is available. The fix is to update, and there are two paths:
- Binary patches: apply the update via
freebsd-update(8)and restart services or the system as appropriate. - From source: rebuild the patched kernel from the relevant branches (
stable/14,releng/14.3,stable/13,releng/13.5), whose commits are referenced in the official advisory.
Until you can patch, review jail configurations and remove allow.mount.nullfs wherever it is not strictly required, which shrinks the attack surface. Least privilege applies especially to mount capabilities inside jails.
For more on FreeBSD’s isolation model compared with other Linux mechanisms, see the FreeBSD page.
Source
- Official advisory: FreeBSD-SA-26:02.jail
- CVE detail: CVE-2025-15547 on NVD