Notes

An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [source] function. This vulnerability allows an attacker to manipulate a malloc call such that 0 bytes are allocated while VirtualBox tracks the size of the buffer as a value greater than 0.

An attacker can exploit this condition and achieve linear read/write primitives which can then be escalated to arbitrary read/write access within the host’s memory. We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. Oracle VM VirtualBox - VM escape via VGA device