A programming error has been found in the jail_attach(2)
system call which affects the way that system call verifies
the privilege level of the calling process. Instead of
failing immediately if the calling process was already
jailed, the jail_attach system call would fail only after
changing the calling process's root directory.
A process with superuser privileges inside a jail could
change its root directory to that of a different jail,
and thus gain full read and write access to files and
directories within the target jail.