Parallels Desktop
CVE-2021-34857
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13601.
AnalysisAI
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (49160). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13601. Affected products include: Parallels Parallels Desktop.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).
More in Parallels Desktop
View allDirectory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package u
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot function
Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level priv
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot dele
Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. R
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Deskt
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.0-4
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today