Bug Hunting in Hypervisors

Instructors:  Corentin Bayet & Bruno Pujos
Dates:  June 15 to 18 2026
Location:  Delta Hotel President Kennedy
Capacity:  15

Hypervisors are complex software that play a critical role in modern infrastructure, but like any software, they're not immune to flaws which can be exploited by sophisticated attackers. This training dives into the technical depths of virtualization technologies and explores the flaws leading to virtual machine (VM) escapes. During this training, you will be able to sharpen your skills on multiple platforms from the initial analysis of a target to exploiting real world vulnerabilities.

The course explores the attack surfaces hypervisors expose to their guests, both statically and dynamically. By breaking down how virtual machines communicate with hypervisors and their internal components, participants will learn to apply their existing vulnerability research and exploitation skills to any virtualization software. The training also provides detailed insights for each studied target, including their architectures, typical vulnerabilities, and guidance for effective bug hunting.

This course is ideal for security researchers and vulnerability analysts who are already familiar with low-level systems programming and common exploitation techniques but are new to hypervisor internals. By the end of the training, participants will have a solid foundation in virtualization attack surfaces and vulnerability research as well as the ability to craft proof-of-concept exploits targeting hypervisors.

The course is designed to be given in 4 days of 7 hours.

Topics Covered

• Understanding hypervisor internals, components and architectures
• Tools and techniques to effectively perform bug hunting on virtualization softwares
• Methodology for navigating hypervisors code base, both open and closed source
• Analyze and practice with real-world vulnerabilities in QEMU/KVM, VirtualBox, VMware Workstation and ESXi

Covered Subjects

1. Hypervisor basics

Main foundational concepts of hypervisors and their role in virtualization will be introduced:

• The definition and purpose of a hypervisor
• Core architecture and components
• x86 hardware-assisted virtualization
  • VT-x/AMD-V
  • EPT/SLAT
• The necessity of device emulation and para-virtualization in providing hardware to the guest

2. Interacting with the hypervisor

Students will learn how virtual machines communicate with hypervisors and how to replicate these interactions for bug hunting:

• Mechanisms for triggering guest-host interactions via MMIO, PMIO, and DMA
• Using PCI/PCIe interfaces to communicate with specific emulated or para-virtualized devices
• Tools and techniques for scripting guest-hypervisor communications

3. Navigating and understanding the code base

Participants will learn to effectively navigate both open-source and proprietary hypervisor codebases:

• Exploration of the architectural layouts of QEMU/KVM, VirtualBox, VMware Workstation, and ESXi
• Techniques for pinpointing areas of interest, such as memory mapping functions, device initialization, and handlers
• Leveraging reverse engineering tools and methods to analyze complex, closed-source code
• Reviewing strategies for locating documentation and resources to help symbolize closed-source code and understand internals

4. Bug Hunting

Trainers will outline a structured approach to identifying and exploiting vulnerabilities in hypervisors:

• Identifying common attack surfaces
• Recognizing bug types specific to virtualization
• Tools and strategies for debugging hypervisors
• Exploring fuzzing challenges and possible solutions
• Rediscovering and exploiting n-day vulnerabilities as practical training for real-world bug hunting

Assignments

Assignments are divided into several steps and integrated throughout each day of training. Each day focuses on a different hypervisor to demonstrate the concepts covered. For each target, students will have the opportunity to analyze and exploit at least one real-world n-day vulnerability that impacted the hypervisor.

Explore Device Emulation on QEMU/KVM

In this assignment, participants will explore the details of QEMU's device emulation to uncover potential vulnerabilities. Along the day, participants will explore common communication patterns and device interactions, and develop the skills needed to pinpoint their first vulnerabilities in a crafted emulated device. In the final stage, students will identify and trigger a real-world vulnerability that affected a previous version of QEMU.

VirtualBox Code Navigation and Exploit Development

This assignment introduces VirtualBox as a target for exploitation. Participants will explore aspects of VirtualBox's I/O handling and device emulation to identify vulnerabilities. By applying learned methodologies, they will analyze memory mapping operations, locate potential bugs, and develop a proof-of-concept exploit for a selected vulnerability.

Reverse & Bug Hunting in VMware

Participants will reverse engineer components of VMware's closed-source hypervisors, mapping critical functions related to memory management and I/O handling. The last part brings together all skills developed during the training. Participants will analyze both VMware ESXi and Workstation to identify n-day vulnerabilities and attempt to develop proof-of-concept exploits.

Requirements

Hardware/Software:

• A computer capable of running VMware Workstation Pro (free and downloadable from Broadcom website)
• Nested virtualization with multiple different hypervisors (only works on VMWare Workstation)
• The processor must be an Intel or AMD x86 supporting VT-X or AMD-V (iMac based on ARM chips will not work)
• Linux host preferred. If host is Windows, Hyper-V must be disabled during training
• Trainee must have administrator privileges on computer
• HexRays IDA with x64 decompiler (IDA Free version is enough; IDA Pro with ARM decompiler and scripting capabilities is preferred)
• Your favorite code editor

Prerequisites:

• Basic programming skills in C and Python
• Familiarity with low-level computer behavior (Userland vs Kernel execution, Basic x86 processor architecture)
• Knowledge of reverse-engineering concepts and techniques
• Understanding and experience of common C vulnerabilities and exploitation techniques (buffer overflows, use-after-free, race conditions, uninitialized variables, ROP, heap massaging, ASLR bypass)

Trainers

Corentin Bayet is the CTO of REverse Tactics and a seasoned security researcher with over 7 years of experience in vulnerability research and exploitation. His expertise lies in low-level technologies, including operating systems, kernels, and hypervisors. Corentin has publicly demonstrated multiple VM escapes at high-profile events like Pwn2Own (2020, 2024), showcasing his advanced skills in hypervisor security. He has also delivered impactful talks on bug hunting in virtualization at renowned conferences such as EkoParty 2020, GreHack 2023, and GreHack 2024.

Bruno Pujos is the CEO and founder of REverse Tactics, bringing over 10 years of experience as a security researcher specializing in low-level systems and virtualization technologies. He has publicly demonstrated his expertise by achieving multiple VM escapes and privilege escalations on Windows at Pwn2Own (2020, 2022, 2024). Bruno is also an experienced trainer, having delivered advanced courses on reverse-engineering and bug hunting, including sessions focused on firmware and UEFI BIOS reverse engineering.

Trainers contact: info recon cx

To Register

Click here to register.