TOCTOU local privilege escalation vulnerability
CVE-2026-41702

7.8HIGH

Key Information:

Vendor: Vmware
Status: Fusion
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-41702?

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

Affected Version(s)

Fusion MacOS 2025H2 < 2026H1

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41702 Data

JSON

Vmware

What is CVE-2026-41702?

Affected Version(s)

References

CVSS V3.1

Timeline