Broadcom fixes three VMware zero-days exploited in attacks

**Executive Summary:** Broadcom and Microsoft disclosed three critical VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) that enable a privileged user inside a guest VM to perform heap overflow, arbitrary write, or information disclosure against the VMX process, allowing sandbox escape to the hypervisor; Broadcom indicates exploitation has occurred in the wild and the flaws impact multiple VMware ESX products.