Modern virtualized environments suffer from weak memory isolation, enabling attackers to exploit guest-memory manipulation vulnerabilities to corrupt host-side pointers. However, existing exploitation frameworks are hindered by the absence of paravirtualization interfaces and interference from ASLR, limiting their effectiveness. This paper introduces Cross-Domain Attack (CDA), a novel exploitation paradigm. We systematically establish the first CDA taxonomy and automated exploitation framework, leveraging guest memory reuse to circumvent reliance on complex host data structures. Our approach integrates cross-domain gadget identification, tainted pointer matching, trigger-input generation, and exploit-chain auto-assembly, combining dynamic analysis with symbolic execution for end-to-end attack-chain construction. Evaluated on 15 real-world vulnerabilities across QEMU and VirtualBox, our framework achieves stable VM escape in all cases, demonstrating strong generality and practicality.

Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation -- guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.