From nobody Tue Feb 24 16:37:52 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL3L84fMlz6ST77 for ; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL3L823kpz3wZF; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=QKoRnsFg+1UrleiDzSGlYlD1HWvlQ5phLUuPd7ZfvfE+zFcOeGfsnqh+b9GSj6Q3kQPPJP NbryxiucLtuwZkI5KFEWbrwlwuVjWRnaXG7lgL9koTDmncZ5YZAQUR0eJLcRtZtQFYeiUC sjeI3youpt1L8zXAryemtlyUBgiDH8pbimFuTIl6l6V7AaUBLqDyI+sXSLmKA1yzAy4nvq 1CrQ0mY7l7P3OXLZNxvQEy5z4o1ih/jo7gLTB88bd4XEpM/a51PkkR1OdfrgOXgY3wBcCJ bg7rBWjJ/DVlrrwF47uKsCXstV3PZQgf8PxbtNj7B9s7w2B7T0s/23/Vylt+Eg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771951072; a=rsa-sha256; cv=none; b=CEl7WcDBKyuGTgF6XdUeUkAl8h7RKGCAV+CP4EWVUHRbHEVWvqEpJH4lHSCCDQIuIGkrl7 BDMVWbpfHQX0Ndye9cPJSq3MdRbTuiBwrb2TNkWJUGe3cpxRj2QLhTMgwjZ6AuNXtEJsHu pw5Hgud6XcqLSPIlfXzAYEU6ki7pcgAPM8Y73Jw5vgq0+m5TMR/DxDqVxHg1OcCytCZK8B V+e96vGnOM2u+l6L0fcusiZqj6PqMWIFeiOeSwizOogAmO+AeK8lCE+t/VzqGjMEcJ30Mu m53xCNuc90WNiKCYqUxu/EDud6QzkJck/5i8oiTcYkWT1flltzyGIO4MonVl3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=dKSaAO8bGeFPy1U/iPi1IdYhOCXsJijDYbhY6KnwZHpmxH4IcgBAzzGIa9m7VdLDCASX1A YThPdeUDY+X2jXuIYPENwJFgT6v4mIjqItJ+TFvBw/K7vr0zmjfD+B08ytD+/km/zcXMAl 4JI49ruetZJLfs+B1LJ6Ak4etmVSS9UyT9LiA/GEj6E7ziZ7irgIQDFK6YdhQ4L3tF3Cu5 87EYjXOc8FfMD6vR5jTnvUIMtnYRYBBnqHBJfqbt+vgRU9ii6V256+wjIQ9PWH346F93t5 oNHatGUmCILLLAP3GyMJXXe7C6AfWqvhdXM5Ss5sisCvYV9UG7XJs5/LHYrZeg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3342911CE9; Tue, 24 Feb 2026 16:37:52 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:04.jail Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260224163752.3342911CE9@freefall.freebsd.org> Date: Tue, 24 Feb 2026 16:37:52 +0000 (-00) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:04.jail Security Advisory The FreeBSD Project Topic: Jail chroot escape via fd exchange with a different jail Category: core Module: jail Announced: 2026-02-24 Affects: FreeBSD 14.3 and 13.5. Corrected: 2025-07-29 12:49:03 UTC (stable/14, 14.3-STABLE) 2026-02-24 16:01:32 UTC (releng/14.3, 14.3-RELEASE-p9) 2026-02-09 20:44:00 UTC (stable/13, 13.4-STABLE) 2026-02-24 16:04:42 UTC (releng/13.5, 13.5-RELEASE-p10) CVE Name: CVE-2025-15576 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Jails are an operating system virtualization technology which allow administrators to confine processes within an environment with limited ability to affect the system outside of that environment. In particular, jailed processes typically have their filesystem access restricted by a chroot-like mechanism. nullfs(4) is a pseudo-filesystem which allows a directory to be mounted at another point in the filesystem hierarchy. unix domain sockets are a mechanism for interprocess communication. They behave similarly to Internet sockets but are identified by names in the local filesystem. unix domain sockets allow processes to exchange file descriptors using control messages. II. Problem Description If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other. When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues. III. Impact In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot. Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel. IV. Workaround No workaround is available. Note that in order to exploit this problem, an attacker requires control over processes in two jails which share a nullfs mount in which a unix socket can be installed. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch.asc # gpg --verify jail-14.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch.asc # gpg --verify jail-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3ad3ab5f9b6e stable/14-n272076 releng/14.3/ fbc35b3e6615 releng/14.3-n271471 stable/13/ 73530e4c2ea9 stable/13-n259752 releng/13.5/ e6b96891ef7c releng/13.5-n259202 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmd0NwACgkQbljekB8A Gu9WrxAAzgjxobnwhy+3RrD4XSOViKv7Dk6va/cqZtiP+SEv1lwM86P4aeUbqCOL XPGItri1El9gQoBYsLS/b5ODbevV/CBaTeZbGwm129B9xdrJ4lQgQrDBh3qgo55k OxQTnZbJgnF0YtjcSnkC+oWs4selpADEevEe2ohVUrV4OjXjVoCc3hVibPPwFh+8 G5lPqcI26kXXimjb+zC+5yFQwNy/an9sYeiVnYceCuAOxxoV0Uf23Z5Ndc5oPBUD lYMfrfuqmuhX6AtxTSU7x4BDx4MGTDIMYjU/LXptzMI5bpvqUy4F4lqx0t8vXV8F T8vpbzGt8uhyRoD9Wp9LCIS7PpjBNm3YINY4Zd9z46tiC5ItTSV5mkJzatDB2zW+ 4iMcFQxHFGksHyrGn3epYKm1C3NtbKc5lEVHnKZqg11H2xUtDkTRn8AVcy8a9Bh+ FDo1+yAb96W5by9UGA7nCdF8xwr9+ea/k6JDDfHxgVsOKzOgXsh7wmJ686kTIT2I 2REIMLY79xs50Lii5EMvN1oSjXxb7+WFphe+XCoH39JDTI3ekg7EpnFHcXLzMaVt rciDlmPBU8h5A8U8GyI359DbIlha2IY5R2yC/opHUkOq/wBDJUZcL2y41BEH11jb uFxRavagcRePVrSHSuXOH1vSdmsdrtl/h7HBP83J4X6ZG3nnr90= =cwB8 -----END PGP SIGNATURE-----