Parallels Desktop
CVE-2021-31425
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel on the target guest system. Was ZDI-CAN-12790.
AnalysisAI
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel on the target guest system. Was ZDI-CAN-12790. Affected products include: Parallels Parallels Desktop.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.
More in Parallels Desktop
View allDirectory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package u
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot function
Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level priv
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot dele
Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. R
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Deskt
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.0-4
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today