Use-After-Free Vulnerability in VMware ESXi, Workstation, and Fusion USB Controller
CVE-2021-22040

6.7MEDIUM

Key Information:

Vendor: Vmware
Status: Vmware Esxi , Workstation, Fusion And Vmware Cloud Foundation
Vendor: CVE Published:; 16 February 2022

Summary

VMware ESXi, Workstation, and Fusion are impacted by a use-after-free vulnerability in the XHCI USB controller. This security flaw can be exploited by a malicious actor who possesses local administrative privileges on a virtual machine, enabling them to execute code in the context of the VMX process on the host. This could potentially lead to unauthorized control and manipulation of the affected systems.

Affected Version(s)

VMware ESXi , Workstation, Fusion and VMware Cloud Foundation VMware ESXi (7.0 U3 before ESXi70U3c-19193900, 7.0 U2 before ESXi70U2e-19290878, 7.0 U1 before ESXi70U1e-19324898, ESXi 6.7 before ESXi670-202111101-SG and ESXi 6.5 ESXi650-202202401-SG), Workstation (16.x before 16.2.1), Fusion (12.x before 12.2.1) and VMware Cloud Foundation (4.x before 4.4 and 3.x before 3.11)

References

https://www.vmware.com/security/advisories/VMSA-2022-0004...

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 16, 2022
Vulnerability Reserved
Jan 4, 2021