VMware ESXi NVMe Controller Out-of-Bounds Read Vulnerability

Oct 10, 2023

Alex Thompson

2876 views

Summary

An out-of-bounds read vulnerability in the VMware ESXi NVMe controller allows a guest virtual machine to read hypervisor memory, potentially leading to information disclosure.

Description

VMware ESXi contains an out-of-bounds read vulnerability in the NVMe controller that allows a guest virtual machine to read hypervisor memory. This vulnerability could potentially lead to information disclosure from the ESXi host or from other virtual machines.

The vulnerability exists in the way the NVMe controller processes certain commands from guest virtual machines. When processing these commands, the controller fails to properly validate memory boundaries, allowing a malicious virtual machine to read memory outside of its allocated boundaries.

An attacker with administrative access to a virtual machine could exploit this vulnerability to read sensitive information from the ESXi host memory, potentially including cryptographic keys, credentials, or data from other virtual machines.

Affected Products

ESXi 8.0 before ESXi80U1f-23850231
ESXi 7.0 before ESXi70U3s-23850230
ESXi 6.7 before ESXi670-202310401-SG

CVSS Score

6.5

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

References

About the Author

Alex Thompson

Security Researcher

Alex specializes in storage security and virtualization technologies.

Related Vulnerabilities

CVE-2023-20867

High

VMware ESXi Shadow Copy Service Information Disclosure Vulnerability

An information disclosure vulnerability in the VMware ESXi Shadow Copy Service allows an attacker to access sensitive information from virtual machine snapshots.