Use-after-free vulnerability

Summary

A critical vulnerability has been detected in VMware ESXi, Workstation, and Fusion products, allowing a local administrative user on a virtual machine to execute code on the host. The vulnerabilities, collectively tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, have severities that range from 7.1 to 9.3 and encompass use-after-free bugs, out-of-bounds write vulnerabilities, and information disclosure problems in the USB controllers used by the affected products. The exploitation of these vulnerabilities poses a threat to sensitive operations and requires immediate patching to mitigate the risk. There is no evidence of active exploitation in the wild, but victims of these exploits could lead to unauthorized access and control over virtual machines and host systems. Prompt action from organizations to patch or mitigate these vulnerabilities is advised.

News Articles

Ars Technica

CVE-2024-22252CVE-2024-22253

VMware sandbox escape bugs are so critical, patches are released for end-of-life products

VMware ESXi, Workstation, Fusion, and Cloud Foundation all affected.

9 months ago

Beeping Computers

CVE-2024-22252CVE-2024-22253

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.

9 months ago