Security researchers from Google's Security Research team have disclosed a high-severity vulnerability in Oracle's VirtualBox virtualization software that allows attackers to completely escape from a virtual machine and execute code on the host system.
The vulnerability, tracked as CVE-2025-30712, affects VirtualBox version 7.1.6 and was discovered by researcher "thatjiaozi." Oracle has patched this issue on April 15, 2025.
The security flaw stems from an integer overflow in the vmsvga3dSurfaceMipBufferSize function within VirtualBox's VMSVGA device emulation. This vulnerability enables attackers to trigger a condition where the system allocates zero bytes for a buffer while tracking the buffer size as a positive value.
What makes this vulnerability particularly dangerous is that it allows attackers to develop both linear read and write primitives that can eventually be escalated to arbitrary read/write access within the host system's memory.
According to the technical details provided in the advisory, the exploitation process involves several stages.
First, attackers trigger the allocation of a "buggy surface" with a size of zero. They then allocate a specific object with a recognizable pattern (referred to as an "egg") to fingerprint their target in memory. Through heap grooming techniques, attackers can leverage out-of-bounds reads to locate their target objects in memory.
Once established, these primitives enable attackers to break Address Space Layout Randomization (ASLR), gain control over the instruction pointer (RIP), and ultimately execute arbitrary code on the host system.
Google demonstrates a complete proof-of-concept that successfully performs a VM escape with a reported 100% reliability after just a few attempts. The attack chain involves planting shellcode, constructing ROP chains using gadgets from VirtualBox libraries, and executing commands that trigger the exploit.
Oracle users running VirtualBox 7.1.6 are strongly advised to update to the patched version immediately. This vulnerability underscores the critical importance of maintaining virtualization software, especially in environments where VMs are used as security boundaries between untrusted code and host systems.