VMware Workstation PVSCSI Heap Overflow (CVE-2025-41238) Disclosed from Pwn2Own
A heap-based buffer overflow in VMware Workstation's PVSCSI virtual device, CVE-2025-41238, disclosed at Pwn2Own, allows a local attacker with high-privileged guest access to escalate privileges to the hypervisor level.
A critical vulnerability in VMware Workstation, disclosed at the Pwn2Own hacking contest, allows a local attacker to escape the guest virtual machine and execute arbitrary code at the hypervisor level. The flaw, tracked as CVE-2025-41238 and documented in advisory ZDI-26-190, carries a CVSS score of 8.2, reflecting its high impact on confidentiality, integrity, and availability.
The vulnerability resides in the implementation of the PVSCSI (Paravirtualized SCSI) virtual device. The issue is a heap-based buffer overflow caused by insufficient validation of user-supplied data length before copying it to a heap buffer. An attacker must first obtain the ability to execute high-privileged code on the target guest system to exploit this flaw. Once achieved, the attacker can leverage the overflow to escalate privileges and execute arbitrary code in the context of the hypervisor, effectively breaking out of the virtual machine.
The vulnerability was discovered and reported by researchers Thomas Bouzerar (@MajorTomSec) and Etienne Helluy-Lafont from Synacktiv, a team known for its strong performance in Pwn2Own competitions. The disclosure timeline shows the vulnerability was reported to VMware on May 23, 2025, with coordinated public release on March 16, 2026.
VMware has released a security update to address this vulnerability. The update is available through Broadcom's support portal, as detailed in Security Advisory 0/35877. Users of VMware Workstation are strongly advised to apply the patch immediately to mitigate the risk of virtual machine escape and hypervisor compromise.
This vulnerability is particularly concerning for organizations that rely on VMware Workstation for development, testing, or hosting sensitive workloads. A successful exploit could allow an attacker to move laterally from a compromised guest to the host system, potentially accessing other virtual machines and sensitive data.
The disclosure at Pwn2Own highlights the ongoing value of such competitions in identifying critical vulnerabilities in widely used virtualization software. VMware has a history of addressing similar issues, and this latest patch underscores the importance of keeping virtualization platforms up to date.
For more details, refer to the ZDI advisory and the VMware security advisory.