VMware ESXi VMCI Integer Underflow Vulnerability (CVE-2025-41237) Disclosed at Pwn2Own
A critical VMware ESXi vulnerability disclosed at Pwn2Own allows local attackers with guest privileges to escalate to hypervisor-level code execution via an integer underflow in the VMCI implementation.
VMware has released a security update for a critical vulnerability in ESXi's Virtual Machine Communication Interface (VMCI) that was disclosed as part of the Pwn2Own hacking competition. Tracked as CVE-2025-41237 and assigned a CVSS score of 8.2, the flaw is an integer underflow that can be exploited by a local attacker with high privileges on a guest virtual machine to escalate privileges and execute arbitrary code in the context of the hypervisor.
The vulnerability was discovered and reported by Corentin "@OnlyTheDuck" Bayet from REverse Tactics. According to the advisory from the Zero Day Initiative (ZDI-26-188), the specific flaw exists within the implementation of VMCI. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor.
VMCI is a key component in VMware ESXi that enables high-performance communication between virtual machines and the host hypervisor. An integer underflow in this component could allow an attacker to corrupt memory and gain control over the hypervisor, potentially compromising all virtual machines running on the host. The vulnerability requires the attacker to first obtain the ability to execute high-privileged code on the target guest system, which limits the attack surface but still poses a significant risk in multi-tenant environments or where guest VMs are not fully trusted.
VMware, now part of Broadcom, has issued a security update to address this vulnerability. The advisory can be found at Broadcom's support portal. Users are strongly advised to apply the patch as soon as possible, especially in environments where untrusted or high-privileged guest VMs are present. The disclosure timeline shows that the vulnerability was reported to VMware on May 23, 2025, and the coordinated public release occurred on March 16, 2026.
This disclosure is part of the Pwn2Own Berlin 2026 competition, where researchers collectively earned $1.3 million for 47 zero-day vulnerabilities across enterprise and AI products. The VMware ESXi VMCI flaw is one of several critical vulnerabilities that were demonstrated during the event, highlighting the ongoing risks in virtualization platforms that underpin modern data centers and cloud infrastructure.
Organizations using VMware ESXi should prioritize applying the patch and review their guest VM security policies to limit the potential for exploitation. While the vulnerability requires high privileges on the guest, it serves as a reminder that hypervisor-level flaws can have cascading impacts across entire virtualized environments.