CVE-2025-41236: Critical Integer Overflow in VMware ESXi VMXNET3 Device Allows Hypervisor Takeover
A critical integer overflow vulnerability in VMware ESXi's VMXNET3 virtual device, disclosed at Pwn2Own, allows a local attacker with high-privileged guest access to escalate privileges to the hypervisor level.
VMware has released a patch for a critical vulnerability in ESXi's VMXNET3 virtual networking device that could allow a local attacker to break out of a virtual machine and execute arbitrary code on the hypervisor. The flaw, tracked as CVE-2025-41236 and disclosed by the Zero Day Initiative as ZDI-26-189, carries a CVSS score of 8.2 and was demonstrated at the Pwn2Own hacking competition.
The vulnerability is an integer overflow in the VMXNET3 virtual device implementation. The issue arises from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker who first obtains the ability to execute high-privileged code on the target guest system can exploit this flaw to escalate privileges and execute arbitrary code in the context of the hypervisor, effectively escaping the virtual machine sandbox.
The vulnerability was reported by Nguyen Hoang Thach of STAR Labs SG Pte. Ltd., Ltd., who demonstrated the exploit at Pwn2Own. The disclosure timeline shows the vulnerability was reported to VMware on May 21, 2025, with the coordinated public release of coordinated public release occurring on March 16, 2026. VMware has issued an update to correct the vulnerability, with more details available through Broadcom support advisory 0/35877.
VMXNET3 is a high-performance paravirtualized network adapter used in VMware ESXi environments. Because it is a common virtual device, the vulnerability has broad implications for organizations running VMware virtualization infrastructure. Successful exploitation would allow an attacker with high-privileged guest access to compromise the entire hypervisor, potentially affecting all other virtual machines running virtual machines on the host.
The disclosure at Pwn2Own highlights the continued focus on hypervisor escape vulnerabilities, which are among the most sought-after targets for security researchers and attackers alike. VMware has a history of patching similar flaws in its virtualization products, and administrators are urged to apply the latest updates from Broadcom as soon as possible to mitigate the risk of exploitation.