Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks
Gaoning Pan
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Cross-Domain Attacks
Virtual machine escape from hypervisors like **QEMU** and **VirtualBox** is one of the most consequential exploit classes in cloud security. This talk introduces **cross-domain attacks**, a systematic exploitation technique that makes previously unexploitable pointer corruption vulnerabilities in hypervisors practically exploitable. The key insight: guest VM memory is mapped into host address space, and the attacker fully controls guest memory. By redirecting corrupted pointers from the host address space into guest memory, attackers can construct fake objects with function pointers and capability fields entirely under their control, bypassing **ASLR** and the need to understand host memory layout.
AI review
A systematic technique for turning previously unexploitable hypervisor pointer corruption bugs into working VM escape exploits by redirecting corrupted pointers into attacker-controlled guest memory. 772 cross-domain gadgets in QEMU, 15 real vulnerabilities exploited through an automated framework. This is exactly the kind of work that changes how we think about hypervisor vulnerability severity.