Double-Fetch Vulnerability in VMware ESXi, Workstation, and Fusion USB Controller
CVE-2021-22041

6.7MEDIUM

Key Information:

Vendor: Vmware
Status: Vmware Esxi , Workstation, Fusion And Vmware Cloud Foundation
Vendor: CVE Published:; 16 February 2022

Summary

VMware ESXi, Workstation, and Fusion have a double-fetch vulnerability within the UHCI USB controller. This flaw allows an attacker with local administrative access on a virtual machine to exploit the issue, leading to unauthorized code execution in the VMX process on the host machine. Proper security guidance is essential to mitigate this risk.

Affected Version(s)

VMware ESXi , Workstation, Fusion and VMware Cloud Foundation VMware ESXi (7.0 U3 before ESXi70U3c-19193900, 7.0 U2 before ESXi70U2e-19290878, 7.0 U1 before ESXi70U1e-19324898, ESXi 6.7 before ESXi670-202111101-SG and ESXi 6.5 ESXi650-202202401-SG), Workstation (16.x before 16.2.1), Fusion (12.x before 12.2.1) and VMware Cloud Foundation (4.x before 4.4 and 3.x before 3.11)

References

https://www.vmware.com/security/advisories/VMSA-2022-0004...

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 16, 2022
Vulnerability Reserved
Jan 4, 2021