THREAT OPS › Threat News › On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025
On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025
At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploi