VM Escape

In the Cloud (AWS, Azure, GCP), you are running in a Virtual Machine. You trust that the VM next to you (belonging to a competitor) cannot see your memory. A VM Escape vulnerability allows code running in the Guest OS to execute on the Hypervisor (Host). If successful, one attacker can compromise thousands of customers at once.

1. VENOM (CVE-2015-3456)

A classic example. QEMU included code to emulate a legacy Floppy Disk Controller (FDC). Almost no one used floppies in 2015, but the code was enabled by default.
The Bug: The FDC accepted commands from the Guest. A specially crafted command could overflow a buffer in the Host's FDC emulation code.
Impact: A guest could execute arbitrary code on the host, escaping the VM isolation.

2. 3D Acceleration Exploits

Video rendering is complex. Hypervisors pass 3D commands from Guest to Host GPU.
PWN2OWN: Frequently features VM escapes via the Virtual GPU (vGPU) or Shader Compiler. The complexity of graphics drivers makes them a prime target.

3. Shared Folders (HGFS)

VMware Tools allows "Shared Folders" between Host and Guest. This requires complex file parsing.
If the Guest puts a malicious filename or structure in the shared folder, and the Host driver parses it incorrectly -> Kernel Panic or RCE on Host.

4. Rowhammer (Hardware Attack)

This bypasses software entirely.
By rapidly reading/writing to a specific row of RAM (DRAM), you can cause electrical interference that flips bits in an adjacent row.
VM Impact: If the adjacent row belongs to the Hypervisor or another VM, you can corrupt their memory.
Technique: Flip a bit in the "Page Table Entry" to grant your VM access to physical memory it shouldn't see.