Critical VMXNET3 Integer Overflow (CVE‑2025‑41236) Enables Hypervisor Escape in VMware ESXi
What It Is — An integer‑overflow flaw in the VMXNET3 virtual NIC driver of VMware ESXi allows a malicious actor who can run code inside a guest VM to corrupt kernel memory and gain code execution at the hypervisor level.
Exploitability — The vulnerability was demonstrated in the Pwn2Own competition, confirming a working exploit. CVSS v3.1 score 8.2 (High). Exploits require prior foothold inside a guest VM; no public‑facing exploit‑as‑a‑service has been observed.
Affected Products — VMware ESXi (all versions prior to the March 2026 security update) that include the VMXNET3 virtual NIC.
TPRM Impact — ESXi underpins many managed‑service, cloud‑hosting, and on‑premise virtualization environments. A successful hypervisor escape can expose tenant workloads, steal data, or disrupt services across multiple customers, creating a supply‑chain risk for organizations that rely on third‑party VMware‑based infrastructure.
Recommended Actions
- Deploy VMware’s March 2026 security update (Security Advisory 35877) immediately.
- Verify that all ESXi hosts are running the patched version; inventory any out‑of‑date hosts.
- Where VMXNET3 is not required, disable the device or replace it with an alternative NIC driver.
- Harden guest VMs: enforce least‑privilege policies, limit execution of untrusted code, and apply host‑based intrusion detection.
- Monitor ESXi logs for abnormal VMXNET3 activity and for signs of privilege‑escalation attempts.