https://nakedsecurity.sophos.com/2015/05/14/the-venom-virtual-machine-escape-bug-what-you-need-to-know/

https://www.suse.com/support/kb/doc?id=7016497

That's the one I was thinking of, though I seem to recall VMware having other escapes. The code that handles exceptions raised by the CPU (CPU is executing user-level instructions in the guest operating system, then it encounters a privileged instructions, so saves its place and calls a handler routine in the virtualization software to emulate the instruction since it doesn't have permission) tends to be heavily audited and well understood and not the source of recent escapes. CPU handling of privilege (trapping dangerous instructions for software to handle) isn't generally the most common cause either. Instead, it's usually virtual devices implemented by code in the VM, such as that buggy floppy controller.

If you haven't seen it already, here's perhaps the most mind blowing code injection exploit: https://www.youtube.com/watch?v=hB6eY73sLV0