CVE-2025-15576

Published: Mar 09, 2026 Last Modified: Mar 10, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: local
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none

Description

AI Translation Available

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.

In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.

When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.

In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot.

Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0002
Percentile
0,0th
Updated

EPSS Score Trend (Last 7 Days)

269

Improper Privilege Management

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
488

Exposure of Data Element to Wrong Session

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
790

Improper Filtering of Special Elements

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Unexpected State
Applicable Platforms
All platforms may be affected
View CWE Details
https://security.freebsd.org/advisories/FreeBSD-SA-26:04.ja…
https://security.freebsd.org/advisories/FreeBSD-SA-26:04.jail.asc