Use-After-Free Vulnerability in VMware ESXi, Workstation, and Fusion
CVE-2020-4004

8.2HIGH

Key Information:

Vendor: Vmware
Status: Vmware Esxi; Workstation; Fusion
Vendor: CVE Published:; 20 November 2020

Summary

A use-after-free vulnerability exists in the XHCI USB controller of VMware products, allowing attackers with local administrative privileges on a virtual machine to execute arbitrary code in the context of the VMX process on the host. This could lead to unauthorized actions within the virtual machine environment, posing a significant security risk to affected VMware installations. Proper updates and patches are required to mitigate the risk associated with this vulnerability.

Affected Version(s)

Fusion 11.x before 11.5.7

VMware ESXi 7.0 before ESXi70U1b-17168206

VMware ESXi 6.7 before ESXi670-202011101-SG

References

https://www.vmware.com/security/advisories/VMSA-2020-0026...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 20, 2020
Vulnerability Reserved
Dec 30, 2019