New FreeBSD Vulnerabilities Allow Jail Escapes and Kernel Panics

The FreeBSD project has released details on two significant security flaws that could allow attackers to break out of restricted jail environments or crash the system entirely. Here is everything you need to know about CVE-2025-15576 and CVE-2026-3038.

FreeBSD jails operate as an operating system virtualization technology that allows administrators to confine processes within an environment with a limited ability to affect the system outside of that environment. Jailed processes typically have their filesystem access restricted by a chroot-like mechanism. However, a newly disclosed vulnerability exposes a critical flaw in how these jails handle file descriptor exchanges.

The issue, tracked as CVE-2025-15576, arises when two sibling jails—where neither jail root directory is an ancestor of the other—are configured to access a shared directory via a nullfs mount. The nullfs(4) feature is a pseudo-filesystem that allows a directory to be mounted at another point in the filesystem hierarchy.

• Cooperating processes across the two jails can establish a connection using a Unix domain socket.
• Unix domain sockets are an interprocess communication mechanism that allow processes to exchange file descriptors using control messages.
• During a filesystem name lookup, the kernel checks whether the lookup would descend below the current process’s jail root; if the root is not encountered, the lookup continues.

The impact of this interaction is severe. In this configuration, it is possible for a jailed process to receive a directory for a descriptor that falls below that process’s jail root. As the advisory explicitly states, this flaw “enables full filesystem access for a jailed process, breaking the chroot.”

Even with a patched kernel, the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process.

The second advisory, CVE-2026-3038, details a local Denial of Service (DoS) and potential privilege escalation vulnerability stemming from the routing socket interface.

The route(4) interface lets users query the state of the kernel’s routing tables. While most operations require root privileges, unprivileged users are permitted to send RTM_GET messages to obtain information about routing table entries. The vulnerability lies in how the rtsock_msg_buffer() function processes these requests:

• The function serializes routing information into a buffer and copies sockaddr structures into a sockaddr_storage structure on the stack.
• It operates under the assumption that the source sockaddr length field has already been validated.
• Because this validation is not guaranteed, a malicious userspace program can craft a request that triggers a 127-byte overflow.

In practice, this overflow allows an unprivileged user to crash the kernel by triggering a stack buffer overflow. The overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, which corrupts a stack canary value that is verified when the function returns. This triggers a kernel panic, which mitigates the impact of the stack overflow.

However, the advisory includes a critical caveat: if other kernel bugs exist that allow userspace to find the canary value, they could defeat this mitigation, “at which point local privilege escalation may be possible.”

To protect your infrastructure against both vulnerabilities, the FreeBSD project recommends immediate patching.