VMM Escape Vulnerability 2026: How Glasswing Broke Hypervisor Isolation
A guest VM breaking out to the host is the worst-case scenario in cloud and virtualized environments. Glasswing found the vulnerability that makes it possible.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The fundamental promise of cloud computing and enterprise virtualization is isolation: your VM cannot see or affect another customer's VM, and code running inside a guest cannot reach the host system that manages it. A VMM escape, a vulnerability that allows guest VM code to break out to the hypervisor host, is a direct violation of that promise. It is the highest-severity vulnerability class in cloud and enterprise virtualized environments because it invalidates every security control layered above the hypervisor boundary. Project Glasswing's Claude Mythos AI identified a VMM escape as one of its 9 confirmed CVEs, documented in the July 5, 2026 90-day progress report. The vulnerability is under coordinated disclosure. This post explains why VMM escapes are categorically more serious than other vulnerability classes, how Glasswing's autonomous exploit development found this flaw, which hypervisors are implicated, and what security teams must do to protect their cloud and on-premises virtualized infrastructure.
Why VM Escape Is the Highest-Severity Class in Cloud Security
In a traditional multi-layered security model, controls are stacked: network segmentation, host-based firewalls, OS hardening, application-layer security, and identity controls all operate above the hypervisor. The hypervisor is the foundation that the entire stack assumes is trustworthy. A VMM escape invalidates that foundation. An attacker who escapes from a guest VM to the host can disable or tamper with every other security control on the host, because those controls run as processes or services within guest VMs or as host-level software that the attacker now controls. In cloud environments, the blast radius extends further. A compromised hypervisor host provides access to the memory and storage of every VM running on that physical server. An attacker can read cryptographic key material from adjacent VMs, inject code into running processes in other tenants' VMs, access VM disk images at the block level, and intercept or manipulate network traffic between VMs before it reaches virtualized network controls. This is why cloud providers treat hypervisor-level vulnerabilities with the highest urgency and patch them as infrastructure updates, often without customer action required.
How Glasswing Found the VMM Escape: Autonomous Exploit Chain Development
Claude Mythos approaches hypervisor vulnerability research by reasoning about the VMEXIT handling code, the interface between guest VM execution and the hypervisor. When a guest VM executes a privileged instruction (like CPUID, VMCALL, or an I/O port access), the CPU transfers control from the guest to the hypervisor through a VMEXIT event. The hypervisor handles the request and returns control to the guest through a VMENTRY. This mechanism is the most complex and security-critical interface in hypervisor design, and it is where VMM escape vulnerabilities most commonly occur. Mythos systematically reasons about the conditions under which VMEXIT handler code makes incorrect assumptions about guest-controlled inputs: pointer values passed by the guest, hypercall argument sizes, MMIO (memory-mapped I/O) access patterns, and PCI device emulation data. By identifying cases where the hypervisor processes guest-supplied data without adequate bounds checking or type validation, Mythos can construct a guest-side exploit that triggers the vulnerability during a legitimate VMEXIT sequence. The Glasswing 90-day progress report confirms this VMM escape as one of 9 validated CVEs, meaning Anthropic's team successfully demonstrated the complete exploit chain from guest execution to host compromise.
“VMEXIT handler code is the most consequential trust boundary in virtualization. An error in that boundary, where guest-controlled input meets hypervisor privilege, converts a VM compromise into a host compromise.”
Anthropic Project Glasswing 90-Day Progress Report, July 5, 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Which Hypervisors Are Implicated?
The specific hypervisor or hypervisors affected by the Glasswing VMM escape are under coordinated disclosure embargo as of July 5, 2026. The vulnerability disclosure lists the vendor category as multiple (hypervisor vendors), indicating that more than one hypervisor implementation may be affected by the same vulnerability class, possibly due to shared code, shared architectural patterns, or independent implementations of the same flawed design. The three major hypervisor platforms that security teams should treat as potentially affected are: KVM (Kernel-based Virtual Machine), the open-source hypervisor embedded in the Linux kernel and used as the foundation for AWS EC2 (via Nitro), Google Cloud, and most Linux-based virtualization deployments. VMware ESXi, the enterprise hypervisor platform used in on-premises VMware deployments and VMware Cloud on AWS. Xen, the open-source hypervisor used historically by AWS (pre-Nitro) and still deployed in some cloud and research environments. Security teams should monitor vendor security advisory channels for all three platforms and be prepared to apply emergency hypervisor patches on very short timelines once the embargo lifts.
Attack Scenario: Compromised Tenant VM to Host Takeover
Consider a realistic attack chain that uses the Glasswing VMM escape in a cloud environment. Stage one: an attacker compromises a workload running in a cloud VM through a web application vulnerability, a supply chain compromise in a container image, or a phishing-delivered payload that executes inside the VM. At this point, the attacker has code execution inside the guest VM as a limited-privilege user or service account. Stage two: the attacker escalates privileges inside the guest VM to root, either through a local privilege escalation (as in the Glasswing Linux LPE CVE) or through a misconfigured sudo rule or setuid binary. They now have root inside the guest. Stage three: the attacker executes the VMM escape exploit from root inside the guest. A carefully crafted sequence of hypercalls or I/O operations triggers the VMEXIT handler vulnerability, and the exploit code gains execution in the hypervisor host context. Stage four: with host-level access, the attacker can read the memory of adjacent tenant VMs (extracting API keys, database passwords, TLS private keys stored in memory), inject a persistent rootkit into the host that survives VM termination and relaunch, pivot to the cloud management plane through credentials stored in the host's memory or on-disk, and establish a covert communication channel that bypasses guest-level network monitoring.
Enterprise Blast Radius: On-Premises and Hybrid Environments
For organizations running on-premises VMware ESXi or KVM-based private cloud, the VMM escape scenario means an attacker who compromises any guest VM can potentially reach the ESXi host and from there access all other VMs on that host, including domain controllers, database servers, backup systems, and security monitoring infrastructure. In a typical enterprise VMware deployment, ESXi hosts are managed by vCenter Server, which controls the entire virtualization cluster. A compromised ESXi host with access to vCenter credentials can expand to the entire cluster. Hybrid environments that use VMware Cloud on AWS or Azure VMware Solution face the same ESXi-level risk for guest workloads running in those environments. The specific blast radius depends on network segmentation between management networks (vSphere management, iDRAC/iLO) and production guest networks. Organizations that have not implemented management network isolation face a higher risk of lateral movement following a VMM escape.
Cloud Shared-Responsibility Model: What You Own
The cloud shared-responsibility model assigns hypervisor infrastructure security to the cloud provider and guest OS security to the customer. For the Glasswing VMM escape, this division means that cloud providers are responsible for patching the vulnerable hypervisor component in their infrastructure, a process they perform transparently and without customer action in most cases. Customers are responsible for patching guest OSes, hardening VM configurations, and monitoring for signs of compromise at the guest level. However, the shared-responsibility model does not mean customers are completely passive in this situation. Customers should verify that their cloud provider has issued a security bulletin addressing this class of vulnerability once the embargo lifts. For on-premises VMware and KVM deployments, customers bear full responsibility for hypervisor patching. The shared-responsibility model provides no protection for self-managed hypervisors.
Hardening: Nested Virtualization, IOMMU, and Management Isolation
Several hypervisor configuration controls reduce VMM escape risk and should be validated before the Glasswing embargo lifts. Disable nested virtualization unless specifically required. Nested virtualization (running a VM inside a VM) dramatically increases the VMEXIT handler code paths exposed to guest-controlled input and should be disabled on all hosts where it is not operationally necessary. Enable IOMMU (VT-d on Intel, AMD-Vi on AMD). Input-output memory management units prevent DMA attacks where a guest could use a malicious PCIe device to access host memory directly. IOMMU must be enabled in both the host BIOS/UEFI and the hypervisor configuration. Isolate the hypervisor management network. ESXi management interfaces, IPMI/iDRAC/iLO BMC interfaces, and KVM-over-IP should be on an isolated management VLAN with no route from guest VM networks. Apply the principle of least privilege to hypervisor service accounts and vCenter roles. Restrict which accounts can access the vSphere API and console, and enable multi-factor authentication for vCenter and ESXi host login.
Detection: Anomalous VMEXIT Patterns and Host-Level Telemetry
Detecting a VMM escape in progress is significantly harder than detecting most other attack types, because the exploit code operates below the level at which guest OS monitoring tools can observe. Host-level detection requires telemetry collected by the hypervisor itself or by out-of-band management infrastructure. For VMware ESXi deployments, VMware Carbon Black and VMware Aria (formerly vRealize) provide host-level telemetry that can detect anomalous VMEXIT rates, unusual hypercall patterns from specific guest VMs, and changes to ESXi host configuration or file system that occur outside of normal maintenance windows. For KVM-based environments, QEMU audit logs and Linux kernel tracing (ftrace, eBPF-based tools like bpftrace) can capture unusual patterns in VMEXIT handling and memory allocation in the hypervisor process. Out-of-band monitoring through IPMI, iDRAC, or iLO interfaces can detect unexpected host reboots or configuration changes that might indicate post-exploitation activity. These telemetry sources should be routed to a centralized SIEM outside the affected host environment, because a compromised hypervisor host can tamper with local logging.
Full Technical Breakdown, IOCs, and Hypervisor Hardening Runbook
Anthropic's Glasswing disclosure package for the VMM escape vulnerability includes the complete technical analysis of the VMEXIT handler flaw, hypervisor-specific detection rules for VMware and KVM environments, a hardening runbook with configuration commands for ESXi, KVM/QEMU, and Xen, and the full IOC list from Mythos's controlled exploitation testing. These are available exclusively in the free Mythos Brief.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
A VMM escape is not a vulnerability you mitigate by patching the guest OS or tightening application security. It breaks the isolation boundary that every other security control in your cloud or virtualized environment depends on. The Glasswing-attributed VMM escape is under coordinated disclosure, and the race between defenders and attackers begins the moment that embargo lifts. Apply hypervisor patches immediately when vendor advisories are published. In the meantime, disable nested virtualization, enable IOMMU, isolate management networks, and instrument your hypervisor hosts for anomalous VMEXIT activity. The full technical analysis, hypervisor hardening runbook, detection rules, and IOC list from Anthropic's Glasswing disclosure package are available in the free Mythos Brief at decryptiondigest.com/mythos-brief.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Does this affect AWS?
AWS EC2 instances run on a customized hypervisor stack based on KVM, augmented by the Nitro System, which moves traditional hypervisor functions (networking, storage, security) into dedicated hardware and firmware components. The Nitro System was specifically designed to reduce the attack surface of the hypervisor. Whether AWS's Nitro-based infrastructure is affected by the Glasswing VMM escape depends on which specific hypervisor component contains the vulnerability, which is under embargo as of July 5, 2026. AWS has a rapid response process for hypervisor-level vulnerabilities and patches infrastructure transparently without requiring guest OS reboots in most cases. Security teams should monitor AWS Security Bulletins and subscribe to AWS Health events for their accounts.
What is the difference between a VMM escape and a container escape?
A container escape breaks out of the container isolation boundary (Linux namespaces and cgroups) to reach the host OS, but the host OS is shared by design in container architectures. A VMM escape breaks out of a hardware-level virtualization boundary, where the guest OS has no legitimate access to the host system or other guest VMs. VMM escapes are generally considered more severe because the isolation they break is a stronger and more fundamental security boundary. A container escape can sometimes be mitigated by Kubernetes PodSecurityAdmission or seccomp profiles. A VMM escape bypasses all of those controls because it operates below the level at which those controls are enforced.
How do I know if my hypervisor is patched?
For VMware ESXi, check the patch level through vSphere Client or the ESXi shell using the esxcli software vib list command and compare against VMware Security Advisories. For Xen, check the installed version against Xen Project Security Advisory (XSA) advisories. For KVM-based deployments (including most Linux server hypervisors), the KVM vulnerability is patched through the Linux kernel, so applying kernel updates through your distribution's security repository covers the KVM component. Cloud providers patch their hypervisor infrastructure independently and do not always issue public notifications for guest-transparent hypervisor patches.
Does my cloud provider patch this automatically?
Major cloud providers (AWS, Google Cloud, Microsoft Azure) patch hypervisor-level vulnerabilities in their infrastructure without requiring action from tenants and often without causing VM downtime. However, this is not guaranteed for every vulnerability class, and the transparency of cloud provider hypervisor patching is limited. You cannot verify from inside a guest VM that the hypervisor has been patched. If a cloud provider issues a Security Bulletin referencing a specific CVE, that is the signal that patching is complete or in progress for their infrastructure. Until such a bulletin is issued for this Glasswing VMM escape CVE (pending disclosure embargo lift), assume uncertainty.
How does a VMM escape affect multi-tenant cloud environments?
In a multi-tenant cloud environment, multiple customer VMs run on the same physical host. A VMM escape executed from one tenant's VM can reach the host hypervisor, from which it can access memory belonging to other tenant VMs, inject code into other VMs, or compromise the host management infrastructure that controls all VMs on the physical server. This is the tenant isolation failure scenario that cloud providers design their security architectures to prevent. It is also why VMM escapes are treated as the highest severity class by cloud providers and receive the most rapid patching response.
What VMware ESXi and KVM configuration settings reduce VMM escape risk before a patch is available?
For VMware ESXi, disable nested virtualization (vSphere API property 'nestedHVEnabled = false' on all VMs), remove passthrough PCI device assignments from VMs that do not require them, restrict access to the ESXi shell and SSH to management network source addresses only, and enable VMware's Lockdown Mode to prevent direct API access to ESXi hosts except through vCenter. For KVM/QEMU environments, run QEMU processes with a seccomp filter enabled ('--sandbox on' in QEMU command line), disable QEMU features that expand VMEXIT handler surface such as SPICE remote desktop and USB redirection unless operationally required, and use IOMMU passthrough only for VMs that explicitly need direct hardware access. On all platforms, ensure the management network for hypervisor hosts is on a dedicated VLAN with no route from guest VM networks, and verify IPMI or iDRAC interfaces are not reachable from any guest VM subnet.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
