Heap Overflow Vulnerability in VMware ESXi, Workstation, and Fusion Products
CVE-2025-41238

9.3CRITICAL

Key Information:

Vendor: Vmware
Status: Esxi; Cloud Foundation; Workstation; Fusion
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-41238?

VMware ESXi, Workstation, and Fusion exhibit a vulnerability within the PVSCSI (Paravirtualized SCSI) controller, which can lead to a heap overflow condition resulting in an out-of-bounds write. If a malicious actor gains local administrative access on a virtual machine, they may potentially exploit this flaw to execute arbitrary code within the VMX process running on the host machine. In the case of ESXi, any exploitation attempts are limited to the VMX sandbox, applicable only under specific unsupported configurations. On the other hand, vulnerabilities in Workstation and Fusion can permit an attacker to execute code on the host system where these applications are installed.

Affected Version(s)

Cloud Foundation 5.x, 4.5.x

ESXi 8.0

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41238?

Affected Version(s)

References

CVSS V3.1

Timeline