Full Report
FreeBSD security advisory (AV26-179)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in FreeBSD Kernel (Jail Escape & Routing Socket Privilege Escalation)
## CVE Details
- **CVE ID:** CVE-2025-15576, CVE-2026-3038
- **CVSS Score:** Critical (Numerical score not specified in high-level advisory, but typical for Jail escapes and Kernel DoS/Privilege Escalation)
- **CWE:** CWE-200 (Information Exposure), CWE-264 (Permissions/Privilege/Access Control)
## Affected Systems
- **Products:** FreeBSD Operating System
- **Versions:**
- FreeBSD 14.3 (prior to patch)
- FreeBSD 13.5 (prior to patch)
- **Configurations:** Systems utilizing Jails for process isolation or systems allowing local user access to routing sockets.
## Vulnerability Description
This advisory covers two distinct security issues within the FreeBSD kernel:
1. **Jail chroot escape (CVE-2025-15576):** A flaw exists in the mechanism of file descriptor (fd) exchange between different Jails. If a process in one jail can exchange a file descriptor with a process in a different jail (or the host), it may lead to a `chroot` escape, allowing the process to access files outside its sandbox.
2. **Routing Socket Flaw (CVE-2026-3038):** A vulnerability in the handling of routing sockets can be triggered by a local user. This can lead to a Local Denial of Service (DoS) or potentially a full Privilege Escalation to root by exploiting kernel memory corruption or logic errors in the network stack.
## Exploitation
- **Status:** No official report of exploitation in the wild at the time of publication.
- **Complexity:** Medium (Requires sophisticated understanding of FreeBSD kernel internals).
- **Attack Vector:** Local (Requires execution access on the target system).
## Impact
- **Confidentiality:** High (Escape from isolation and potential root access allows full data access).
- **Integrity:** High (Ability to modify system files and kernel memory).
- **Availability:** High (Potential for system-wide crash/DoS via routing socket exploit).
## Remediation
### Patches
FreeBSD has released patches for the supported branches. Administrators should update to the following versions or apply the relevant source patches:
- **FreeBSD-SA-26:04.jail:** Update to the latest security branch for 14.3 or 13.5.
- **FreeBSD-SA-26:05.route:** Update to the latest security branch for 14.3 or 13.5.
Specific patch commands:
`freebsd-update fetch`
`freebsd-update install`
### Workarounds
- **For CVE-2025-15576:** Ensure that Jails do not share IPC mechanisms or Unix domain sockets that allow for file descriptor passing (SCM_RIGHTS).
- **For CVE-2026-3038:** Restrict access to routing sockets; however, this may break networking utilities for non-privileged users.
## Detection
- **Indicators of Compromise:** Unusual kernel panics or crashes; unauthorized processes appearing outside of assigned Jails; unexpected privilege changes for local users.
- **Detection methods and tools:** Audit system logs and monitor for unauthorized use of `chroot` or suspicious routing table manipulation.
## References
- **Vendor Advisories:**
- [https[:]//www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:04.jail.asc]
- [https[:]//www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:05.route.asc]
- **Relevant Links:**
- [https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/freebsd-security-advisory-av26-179]
- [https[:]//www[.]freebsd[.]org/security/advisories/]