What is the CVSS score of CVE-2025-15547?

CVE-2025-15547 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Freebsd are affected by CVE-2025-15547?

CVE-2025-15547 affects FreeBSD systems with the allow.mount.nullfs option enabled, permitting privilege escalation within jailed environments.

How to fix or mitigate CVE-2025-15547?

Within 24 hours: Inventory all FreeBSD systems and identify which have allow.mount.nullfs enabled in jail configurations. Within 7 days: Disable allow.mount.nullfs on all non-critical systems unless operationally essential; document business justification for any systems retaining this feature. Within 30 days: Implement compensating controls (privilege restrictions, process monitoring) on systems where the feature cannot be disabled, and monitor vendor advisories for patch availability.

Freebsd CVE-2025-15547

HIGH

Improper Privilege Management (CWE-269)

2026-03-09 secteam@freebsd.org

Privilege Escalation Freebsd

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 12:16 nvd

HIGH 8.8

DescriptionNVD

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.

If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.

In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

AnalysisAI

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]

Technical ContextAI

Classified as CWE-269 (Improper Privilege Management). By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.

In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root

RemediationAI

Monitor vendor advisories for a patch.

CVE-2025-15547 vulnerability details – vuln.today

Back

Freebsd CVE-2025-15547

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code