How to fix CVE-2025-15547?

Within 24 hours: Inventory all FreeBSD systems and identify which have allow.mount.nullfs enabled in jail configurations. Within 7 days: Disable allow.mount.nullfs on all non-critical systems unless operationally essential; document business justification for any systems retaining this feature. Within 30 days: Implement compensating controls (privilege restrictions, process monitoring) on systems where the feature cannot be disabled, and monitor vendor advisories for patch availability.

Is Freebsd affected by CVE-2025-15547?

CVE-2025-15547 affects FreeBSD systems with the allow.mount.nullfs option enabled, permitting privilege escalation within jailed environments.

CVE-2025-15547

HIGH

2026-03-09 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 12:16 nvd

HIGH 8.8

Description

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail. In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

Analysis

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]

Technical Context

Classified as CWE-269 (Improper Privilege Management). By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.

If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.

In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root

Affected Products

By default, jailed processes cannot mount filesystems, including nullfs(4)

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-15547 vulnerability details – vuln.today

Back

CVE-2025-15547

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15547

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code