Integer Underflow in VMware ESXi, Workstation and Fusion Affects Virtual Machine Security
CVE-2025-41237

9.3CRITICAL

Key Information:

Vendor: Vmware
Status: Cloud Foundation; Vsphere Foundation; Esxi; Workstation
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-41237?

VMware ESXi, Workstation, and Fusion are affected by an integer underflow vulnerability within the Virtual Machine Communication Interface (VMCI). This flaw can allow a local attacker with administrative privileges on a virtual machine to perform an out-of-bounds write, potentially leading to arbitrary code execution in the VMX process on the host machine. In the case of ESXi, the impact is confined to the VMX sandbox; however, on Workstation and Fusion, the threat extends to the host system itself. Immediate action is recommended to secure affected installations.

Affected Version(s)

Cloud Foundation 9.0.0.0, 5.x, 4.5.x

ESXi 8.0

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41237?

Affected Version(s)

References

CVSS V3.1

Timeline