Mad Bugs: QEMU and UTM Escape
Researchers discovered a guest-to-host escape vulnerability in QEMU's virtio-gpu device that affects UTM when running in emulation mode with VNC enabled. The exploit leverages a memory disclosure via the VNC server, allowing a compromised guest to read host heap memory and achieve code execution. Although patched in QEMU 11.0.0, the fix was not backported to the 10.x series used by UTM, leaving prior versions exposed.
- ▪The vulnerability allows guest-to-host code execution in QEMU through the virtio-gpu device when VNC is enabled.
- ▪Attackers can use the VNC server to leak host memory by sending a FramebufferUpdateRequest from the guest, effectively turning pixel data into a memory read primitive.
- ▪The exploit requires root access within the guest and only works in UTM when configured in emulation mode with VNC active, not when using Apple's Virtualization framework.
- ▪This vulnerability was independently rediscovered and had already been patched in QEMU 11.0.0 but not backported to the 10.x stable branch used by UTM.
- ▪A full macOS escape would require a second vulnerability to break out of Apple's App Sandbox, which was not part of this exploit chain.
Opening excerpt (first ~120 words) tap to expand
MAD Bugs: QEMU and UTM EscapeIn which the guest VNCs into its own host and watches the heap like a screensaver.Apr 28, 20268ShareThis post is part of MAD Bugs, our Month of AI-Discovered Bugs, where we pair frontier models with human expertise and publish whatever falls out.Before we dive in, one piece of news. Dion Blazakis and Stefan Esser are joining Calif. Dion just escaped left the fruit company, so we thought it'd be fitting to drop a macOS VM escape exploit.Our targets are QEMU and UTM. QEMU is the open-source machine emulator and virtualizer that powers most Linux virtualization stacks: libvirt, OpenStack, KubeVirt, and the KVM side of many cloud platforms. UTM is the App-Store-friendly macOS and iOS frontend that wraps QEMU.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Calif.
Discussion
0 commentsMore from Calif
