Full Report
The authors competed at Pwn2Own Berlin 2025 in the VMWare Workstation category. The vulnerability exists within the PVSCSI (Paravirtualized SCSI) controller emulation code. This is responsible for handling SCSI commands and forwarding them to the proper device on the machine. The guest OS splits the data into variable-sized chunks, each specifying a guest physical address to use. The code copies entries via the guest driver into an internal array, then compacts it by combining nearby entries. To begin with, it has 512 segments, totaling 0x2000 bytes. If there are more than 512 entries, it allocates a 0x4000 buffer to store all entries and reallocates it for each newly added entry. The intended design is to double the size of the internal buffer when it needs to grow. The vulnerability is that the buffer allocation is statically set to 0x4000 instead of doubling each time. This leads to a very large out-of-bounds heap write. With more than 1024 entries, it's an OOB write every time. The Windows 11 Low Fragmentation Heap (LFH) is where this chunk is placed. Typically, the strategy is to target different size classes to shift allocation to a less hardened allocator, but that's not possible here. Notably, the LFH heap has strict checks on chunk metadata and shuffles around allocations. To exploit this vulnerability, they will need to find an object of size 0x4000 that can be directly allocated from the guest. They ended up using shaders to spray the heap since they can be freed, kept alive, or created at will. The URB objects have a length value on them that is used for writing to host memory directly. This makes them a great primitive for memory corruption. To exploit this, it required a great deal of knowledge about the heap algorithm. They first filled two buckets of 16 each of shaders. After this, they freed all but one bucket in B1 to create a hole and allocated 15 URBs around it. Finally, a hole is created in B2 and we're ready for the exploit. The allocator will bounce between the two available slots in the two buckets. We use B2 to eat the bad write so that we don't corrupt the metadata of a heap chunk on another object. B1 has an object that can now be corrupted safely. This circumvents the mitigations and allows for the corrupting of OOB chunks on the heap. This bug can be used to leak ASLR. Once ASLR is leaked, a fake URB structure can be created to cause havoc. For an arbitrary read, overwrite the URB.data_ptr. For an arbitrary write, corrupt URB.pipe and use a writeback mechanism to write those bytes. From there, they corrupted a callback function on a USB pipe object structure to call WinExec() because it's a CFG-whitelisted gadget. The exploit was unreliable because it assumed knowledge of the heap at startup. They used some tricks to make the exploit more predictable and reliable. Their strategy was that creating a new bucket should take longer. They used this as a time-side channel to understand the current LFH state. Luckily for them, it worked first try during the contest. They conducted this research over three months, evenings, and weekends. The first month was spent on reverse engineering and identifying the vulnerability. The exploitation took two months to do because of the LFH mitigations. Overall, a good post on the discovery and exploitation to win some money at Pwn2Own!
Analysis Summary
# Vulnerability: VMware Workstation PVSCSI Heap-Overflow VM Escape
## CVE Details
- **CVE ID:** CVE-2025-41238
- **CVSS Score:** 8.5 (High) - *Estimated based on typical VM escape impact*
- **CWE:** CWE-122 (Heap-based Buffer Overflow) / CWE-131 (Incorrect Calculation of Buffer Size)
## Affected Systems
- **Products:** VMware Workstation
- **Versions:** Affected versions prior to the fixes released for Pwn2Own Berlin 2025 (specifically addressed in VMSA-2025-0013).
- **Configurations:** Systems with the Paravirtualized SCSI (PVSCSI) controller enabled.
## Vulnerability Description
The flaw exists within the **PVSCSI controller emulation code** in the `vmware-vmx` process. The controller handles SCSI commands via Scatter-Gather (S/G) segments provided by the guest OS.
- The code initially uses a static 0x2000-byte buffer (512 entries).
- If the guest provides more than 512 entries, the code allocates a 0x4000-byte buffer.
- **The Defect:** While the intended design was likely to double the buffer size dynamically to accommodate more entries, the allocation size is **statically locked at 0x4000**.
- **Result:** If a guest provides more than 1024 entries, the emulation code continues to write into the 0x4000-byte buffer, resulting in a massive out-of-bounds (OOB) heap write into the Windows 11 Low Fragmentation Heap (LFH).
## Exploitation
- **Status:** PoC demonstrated successfully at Pwn2Own Berlin 2025 by Synacktiv.
- **Complexity:** High (Requires bypassing Windows 11 LFH mitigations, including randomization and metadata checks).
- **Attack Vector:** Local (Guest-to-Host escape).
- **Technique:**
- **Heap Spraying:** Utilized shaders and URB (USB Request Block) objects to shape the heap.
- **Side-Channel:** Used a timing-based side-channel (measuring bucket creation time) to determine the state of the LFH and defeat allocation randomization.
- **Primitives:** Corrupted URB structures to gain arbitrary read/write, eventually overwriting a CFG-whitelisted callback in a USB pipe object to execute `WinExec()`.
## Impact
- **Confidentiality:** High (Full access to host memory/data).
- **Integrity:** High (Ability to execute arbitrary code on the host OS).
- **Availability:** High (Host system crash or complete takeover).
## Remediation
### Patches
- Refer to VMware Security Advisory **VMSA-2025-0013** for the latest updates. Users should update to the version released post-January 2025.
### Workarounds
- If PVSCSI is not required, switch the virtual disk controller to LSI Logic or NVMe, though this may impact guest performance or bootability.
## Detection
- **Indicators of Compromise:** Unusual memory usage patterns from the `vmware-vmx.exe` process or unexpected child processes (e.g., `cmd.exe` or shells) spawned by VMware.
- **Detection Methods:** Monitor for guest-initiated SCSI operations with an abnormally high number of Scatter-Gather segments.
## References
- VMware Security Advisory: hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
- Original Research: hxxps[://]www[.]synacktiv[.]com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025