Escaping the Guest: How Custom LLM Workflows Uncovered Critical VMSVGA Vulnerabilities

Cyera Research Labs used a specialized LLM-driven code-tracing workflow to independently discover and PoC an integer overflow in VirtualBox's VMSVGA vmsvgaR3RectCopy routine (CVE-2025-53024). The flaw allows 32-bit multiply overflow of scanline/offset calculations to bypass bounds checks, enabling out-of-bounds reads (info leak) and writes (write primitive) from a Guest VM to Host memory; the report details the exploit chain (ASLR defeat via leaks, libc vtable overwrite for code execution), PoC artifacts, and the patch (conversion to 64-bit size types) delivered in VirtualBox 7.2.0_RC1.