Use-after-free vulnerability
CVE-2024-22253

9.3CRITICAL

Key Information:

Vendor
VMware
Status
Vmware Esxi
Vmware Workstation
Vmware Fusion
Vmware Cloud Foundation
Vendor
CVE Published:
5 March 2024

Badges

πŸ“° News Worthy

Summary

VMware ESXi, Workstation, and Fusion exhibit a use-after-free vulnerability associated with the UHCI USB controller. This flaw allows a malicious user with local administrative privileges on a virtual machine to exploit the vulnerability, potentially executing arbitrary code within the VMX process on the host system. On ESXi, this exploitation is limited to the VMX sandbox environment. In contrast, on Workstation and Fusion, successful exploitation could permit the execution of code directly on the host machine, posing a significant security risk to users.

Affected Version(s)

VMware Cloud Foundation 5.x

VMware Cloud Foundation 4.x

VMware ESXi 8.0

News Articles

favicon imageArs Technica

VMware sandbox escape bugs are so critical, patches are released for end-of-life products

VMware ESXi, Workstation, Fusion, and Cloud Foundation all affected.

10 months ago

favicon imageBeeping Computers

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.

10 months ago

References

https://www.vmware.com/security/advisories/VMSA-2024-0006...

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“°

    First article discovered by Beeping Computers

  • Vulnerability published

  • Vulnerability Reserved

.