This vulnerability involves a heap-based buffer overflow (CWE-122) in the ionic cloud driver component of VMware ESXi 8.x and 9.x hosts that use AMD-Pensando DPU products. Exploitation could enable privilege escalation and arbitrary code execution. The CVSS 4.0 vector indicates that exploitation requires local access with high attack complexity and privileges, but no user interaction. The vulnerability affects the integrity, availability, and confidentiality of the system with high impact metrics. No patch or official remediation level has been disclosed by AMD as of the publication date.

Successful exploitation of this heap-based buffer overflow could allow an attacker with local access and limited privileges to escalate their privileges to a higher level, potentially executing arbitrary code on the affected ESXi host. This could compromise the confidentiality, integrity, and availability of the host system and any virtual machines running on it. There are currently no known exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should limit local access to affected ESXi hosts and monitor for suspicious activity related to the ionic cloud driver. Avoid deploying AMD-Pensando DPU products in sensitive environments if possible until remediation is available.