Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Privileged user can escape jail by mounting nullfs filesystems
CVE-2025-15547
Summary
A user with elevated privileges in a jail can escape the jail's filesystem by mounting a nullfs filesystem, gaining access to the host or parent jail's full filesystem. This is a risk if the jail allows nullfs mounts. To mitigate, ensure that privileges are properly configured and nullfs mounts are not allowed in sensitive jails.
Original title
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privilege...
Original description
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
Vulnerability type
CWE-269
Improper Privilege Management
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026