Oracle VM VirtualBox – VM Escape via VGA Device
40 comments
·May 15, 2025AshamedCaptain
fulafel
They don't say anything about untrusted VMs or security in the documentation (https://www.virtualbox.org/manual/topics/guestadditions.html...).
smegger001
Would this work with a headless VM only accessed via SSH? I naively perhaps assume it would be safe as its not using a virtual vga device but perhaps the machines still has the vga device present in the virtual environment it just not being used by the user but still vulnerable?
also is this specific to any particular host operating system or all versions of virtualbox?
fulafel
Despite the title, the vulnerable function name (vmsvga3dSurfaceMipBufferSize) tells it's in the VMSVGA virtual 3D graphics device, not basic VGA hardware needed for normal bootup console stuff.
rjsw
If the kernel in the VM has the DRM code loaded into it, maybe as a module, then I think you would be able to trigger this bug.
bobmcnamara
Availability of the VM device is up to the host's configuration for that VM. You can remove it, but there's one display present by default - don't recall which
orev
All* PCs require a VGA console to boot. Maybe there’s some special type that doesn’t, but it would be extremely rare. When running headless it’s just hiding the console window, but the device still exists on the machine.
da768
Network appliances (Lanner, Netgate, Axiomtek, PC Engines, etc) typically only have a serial console and no GPU hardware at all. Same applies for any linux VMs, you can remove VGA devices and keep a serial port in the config
lyu07282
The linked repo wasn't updated in 8 months, up-to-date code is here:
https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Devic...
I think this was the fix:
https://www.virtualbox.org/changeset/108903/vbox/trunk/src/V...
johnisgood
Thanks. Wild. I bet the codebase is full of code like the originally exploitable one. At this point maybe one should use wrappers for all sorts of calculations. :D
vardump
VirtualBox just crashes all the time anyways. At least the few newest versions keep crashing when running Ubuntu 22.04 or 24.04 LTS.
fulafel
It was crashy years ago as well. In the host kernel driver part, which is the worst place. And half of open source dev projects had Vagrant setups needing VirtualBox. Even though Docker has its problems, it's not half as bad.
noosphr
This is a problem with Ubuntu and not VirtualBox. I spend a few hours today fighting with 24.04.02 in libvirt only to realize that they are using some fancy new GUI library for the installer which crashes on all VMs: https://www.dell.com/support/kbdoc/en-us/000123893/manual-no...
Mandatory Ubuntu considered harmful.
If only NVidia considered Debian a first class distribution so I never had to use Ubuntu again.
Neywiny
I updated to the latest (7.1.8?) and that fixed the inability to use 3d acceleration. But yes I've found they have a terrible release "process" that seems to not include testing. I tried switching to VMWare but A) broadcom makes it difficult to download B) since a recent kernel/driver update on my host, even a fresh Windows guest locks up in boot (can't get through install).
Might try going back to qemu. VMWare had the best performance by far, though, which was great for windows only 3d model software. When with 3d acceleration Virtualbox is so sluggish for me.
vardump
I’m using the latest, same version. Just a horrible experience overall. Whole VirtualBox hypervisor crashes regularly.
VMWare was the gold standard before, but so hopeless now.
I wish Parallels released something for Windows. Their Mac offerings are great.
Maybe I should try QEMU on the desktop as well.
immibis
Broadcom is one of those companies that gets you hooked and then sues you for a lot of money.
... So is Oracle, though.
mhitza
In my recent experience Ubuntu is pretty buggy, I think the distro should also be part of the consideration.
Using Ubuntu on a daily machine for 6 months, after 15 years of Fedora, that's how I would describe my entire experience. Buggy.
simion314
No such issues with Kubuntu, so maybe is the GNOME ecosystem or maybe so unfortunate kernel+drivers, GPU combo.
mhitza
I'm using KDE as well (after giving GNOME another shot for a week, which had even more issues), though I installed KDE in parallel, so there's always the chance that some GNOME residue is causing those issues.
null
oguz-ismail
works on my machine
Thaxll
There is no reason to use virtual box on Windows nowdays, Hyper-v and vmware are free for personnal use and are much much better than VirtualBox.
https://blogs.vmware.com/workstation/2024/05/vmware-workstat...
VladVladikoff
Except virtual box is open source and probably the whole reason these vulnerabilities are found. I’m sure similar vulnerabilities could exist in VMware but are much harder to find due to being closed source.
Retr0id
Even if we accept the premise, I'd rather use software that contains hard-to-find bugs than easy-to-find bugs, all other things being equal.
In my experience of casual usage VMware is less buggy in general (no random crashes, etc.), and that usually translates into fewer security bugs too.
But if your adversary is spending $$$$$ on vulns to throw at you, you can probably assume they can vm-escape either one.
rrdharan
It’s really not harder for the folks with this skill set, and plenty of these vulnerabilities have been found in VMware too over the years.
https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY...
https://www.darkreading.com/vulnerabilities-threats/vmware-z...
https://cloud.google.com/blog/topics/threat-intelligence/vmw...
nicce
It is always harder, because it always take more time. We don't know the ratio (how many bugs more would have been found if VMware would be open source)
AshamedCaptain
VirtualBox is the only one of the 3 mentioned is still both free as in beer (even for commercial use*) as well as free as in freedom (GPLv3).
* Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.
The only other really free alternative is Qemu.
notpushkin
> most features from it have been moved to the GPL base
Wow, that’s nice to hear! Installing the ext pack used to be an almost mandatory step for me.
TMWNN
> * Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.
Oh? I moved to KVM via UnRAID, but not because of any particular complaint with VirtualBox or the Oracle plugin. But then, I only used the plugin for the RDP feature. Has that been moved into the main codebase?
sinuhe69
Nope. Hyper-V only works on pro and higher versions of Windows. VMWare is not free. I can run VirtualBox on demand (as a portable app) and that simplifies things immensely. VirtualBox can also work with all different kinds of virtual hard disks, can archive and import archives from different versions without any problem and that make it a versatile and useful tool. There are also tons of information about VirtualBox from the community.
hk1337
That and most development virtual box use has moved to using Docker which has caused things like Hyper-V on Windows and macOS to create better alternatives for Docker to use and Linux doesn't need the VM.
ekianjo
Your post is obsolete. VMware workstation is now free for all users, even commercial ones.
https://blogs.vmware.com/cloud-foundation/2024/11/11/vmware-...
nicce
Is there any catch? Can we say that Broadcom brought something good when they bought it?
AshamedCaptain
Yes, that development of vmware workstation has been abandoned for years ever since the original team was fired.
ekianjo
No catch as far as I know.
null
null
For the record: Oracle does not consider that the 3D feature should be enabled when the VM is untrusted. It's still classified as experimental and will likely be so for another decade at least.