VMware ESXi Heap Overflow CVE-2026-4455: VM Escape in the Wild

Broadcom has confirmed active exploitation of CVE-2026-4455, a heap overflow vulnerability in VMware ESXi's XHCI USB controller emulation. The flaw allows a malicious virtual machine to escape its sandbox and execute code in the hypervisor context — a guest-to-host escape with CVSS 9.8.

Understanding VM Escape

A VM escape is among the most severe vulnerability classes in virtualized infrastructure. When a guest VM escapes its hypervisor sandbox, it gains access to the host OS and, by extension, every other VM running on the same physical host. In cloud environments, this means a tenant VM could potentially access other customers' workloads.

The Vulnerability

CVE-2026-4455 is a heap overflow in the XHCI (USB 3.0) controller emulation code. A guest VM with access to the virtual USB controller can send malformed USB transfer requests that overflow a heap buffer in the host's vmkernel process. By controlling the overflow data, an attacker can corrupt adjacent heap structures and achieve arbitrary code execution in the VMX process running on the host.

Observed Exploitation

Broadcom's threat intelligence team has confirmed exploitation by at least one ransomware group targeting managed service providers. The attack chain involves initial access to a low-privilege VM, exploitation of CVE-2026-4455 to escape to the host, and then lateral movement across the host's VM inventory to deploy ransomware across all guest VMs simultaneously.

Patch and Workaround

Apply the patches in ESXi80U3b and ESXi70U3s immediately. If patching requires a maintenance window, the immediate workaround is to remove the XHCI USB controller from all VMs that do not require USB passthrough functionality. This can be done without rebooting the guest VM in most configurations.

# Remove XHCI controller via esxcli (run on ESXi host)
esxcli hardware usb passthrough device disable -d [device-id]
# Or via vSphere UI: VM Settings → Remove USB Controller (XHCI)