VMware Points Safety Patches for ESXi, Workstation, and Fusion Flaws

VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

VMware has launched patches to deal with 4 safety flaws impacting ESXi, Workstation, and Fusion, together with two essential flaws that might result in code execution.

Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs within the XHCI USB controller. They carry a CVSS rating of 9.3 for Workstation and Fusion, and eight.4 for ESXi techniques.

“A malicious actor with native administrative privileges on a digital machine might exploit this difficulty to execute code because the digital machine’s VMX course of working on the host,” the corporate said in a brand new advisory.

“On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this will result in code execution on the machine the place Workstation or Fusion is put in.”

A number of safety researchers related to the Ant Group Mild-Yr Safety Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Safety researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.


Additionally patched by the Broadcom-owned virtualization companies supplier are two different shortcomings –

  • CVE-2024-22254 (CVSS rating: 7.9) – An out-of-bounds write vulnerability in ESXi {that a} malicious actor with privileges inside the VMX course of might exploit to set off a sandbox escape.
  • CVE-2024-22255 (CVSS rating: 7.9) – An data disclosure vulnerability within the UHCI USB controller that an attacker with administrative entry to a digital machine might exploit to leak reminiscence from the vmx course of.

The problems have been addressed within the following variations, together with those who have reached end-of-life (EoL) because of the severity of those points –


As a brief workaround till a patch may be deployed, clients have been requested to take away all USB controllers from the digital machine.

“As well as, digital/emulated USB gadgets, resembling VMware digital USB stick or dongle, is not going to be out there to be used by the digital machine,” the corporate said. “In distinction, the default keyboard/mouse as enter gadgets should not affected as they’re, by default, not related via USB protocol however have a driver that does software program gadget emulation within the visitor OS.”

Notify of
Inline Feedbacks
View all comments
Previous Post
U.S. Cracks Down on Predatory Spyware Firm for Targeting Officials and Journalists

U.S. Cracks Down on Predatory Spyware and adware Agency for Focusing on Officers and Journalists

Next Post
Risky Sharing in Google Drive

Discover and Repair Dangerous Sharing in Google Drive

Related Posts