FreeBSD Jail Chroot Escape Vulnerability via File Descriptor Exchange

A vulnerability exists in FreeBSD jails that allows a process in one jail to access the filesystem of a sibling jail, effectively escaping the chroot restriction. This issue arises when both jails are confined to separate filesystem trees but share a nullfs mount. Processes in the jails can exchange directory descriptors through a unix domain socket, bypassing the jail's filesystem limitations. The vulnerability affects FreeBSD versions 14.3 and 13.5.

Impact

Exploitation of this vulnerability allows a jailed process to gain unrestricted access to the filesystem, undermining the chroot confinement.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD Security Advisory.