FreeBSD Jail Escape Vulnerability via Nullfs Mounting

A vulnerability exists in FreeBSD jails that allows a privileged user to escape the jail's filesystem confinement by exploiting the ability to mount nullfs filesystems. This issue affects FreeBSD versions 14.3 and 13.5. By default, jailed processes cannot mount filesystems, but the allow.mount.nullfs option can be enabled. When this option is active, a privileged user can nullfs-mount directories, bypassing the jail's chroot restrictions and gaining access to the host's full filesystem or the parent jail's filesystem.

Impact

Exploitation of this vulnerability allows a privileged user within a jail to escape the jail's filesystem confinement, accessing the host's full filesystem or that of a parent jail.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD Security Advisory.