Use-after-free vulnerability
Key Information
- Vendor
- VMWare
- Status
- Vmware Esxi
- Vmware Workstation
- Vmware Fusion
- Vmware Cloud Foundation
- Vendor
- CVE Published:
- 5 March 2024
Badges
Summary
A critical vulnerability has been detected in VMware ESXi, Workstation, and Fusion products, allowing a local administrative user on a virtual machine to execute code on the host. The vulnerabilities, collectively tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, have severities that range from 7.1 to 9.3 and encompass use-after-free bugs, out-of-bounds write vulnerabilities, and information disclosure problems in the USB controllers used by the affected products. The exploitation of these vulnerabilities poses a threat to sensitive operations and requires immediate patching to mitigate the risk. There is no evidence of active exploitation in the wild, but victims of these exploits could lead to unauthorized access and control over virtual machines and host systems. Prompt action from organizations to patch or mitigate these vulnerabilities is advised.
Affected Version(s)
VMware ESXi < 8.0
VMware ESXi < 8.0
VMware ESXi < 7.0
News Articles
VMware sandbox escape bugs are so critical, patches are released for end-of-life products
VMware ESXi, Workstation, Fusion, and Cloud Foundation all affected.
8 months ago
VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion
VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.
8 months ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
Vulnerability started trending.
First article discovered by Beeping Computers
Vulnerability published.
Vulnerability Reserved.