Use-after-free vulnerability
CVE-2024-22253

6.7MEDIUM

Key Information:

Vendor

VMware
Status
Vmware Esxi
Vmware Workstation
Vmware Fusion
Vmware Cloud Foundation
Vendor
CVE Published:
5 March 2024
đź”” Create VMware Vulnerability Alert

Badges

đź“° News Worthy

What is CVE-2024-22253?

VMware ESXi, Workstation, and Fusion exhibit a use-after-free vulnerability associated with the UHCI USB controller. This flaw allows a malicious user with local administrative privileges on a virtual machine to exploit the vulnerability, potentially executing arbitrary code within the VMX process on the host system. On ESXi, this exploitation is limited to the VMX sandbox environment. In contrast, on Workstation and Fusion, successful exploitation could permit the execution of code directly on the host machine, posing a significant security risk to users.

Affected Version(s)

VMware Cloud Foundation 5.x

VMware Cloud Foundation 4.x

VMware ESXi 8.0

News Articles

favicon imageArs Technica

VMware sandbox escape bugs are so critical, patches are released for end-of-life products

VMware ESXi, Workstation, Fusion, and Cloud Foundation all affected.

favicon imageBeeping Computers

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.

References

https://www.vmware.com/security/advisories/VMSA-2024-0006...

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź“°

    First article discovered by Beeping Computers

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-22253 : Use-after-free vulnerability