How to fix CVE-2024-36486?

Within 24 hours: Identify and inventory all Parallels Desktop 20.1.1 installations across the organization and restrict VM restoration activities to trusted administrators only. Within 7 days: Disable VM restoration functionality in Parallels Desktop until a patch is available, or upgrade to a newer version if available from Parallels. Within 30 days: Monitor Parallels security advisories for patch availability and implement comprehensive testing before deployment; review access logs for any suspicious VM restoration activity.

Is Parallels Desktop affected by CVE-2024-36486?

Parallels Desktop for Mac users face a privilege escalation risk that could allow attackers to gain root-level access to affected systems through virtual machine restoration.

CVE-2024-36486

EUVD-2024-54643 HIGH

2025-06-03 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2024-54643

PoC Detected

Jul 02, 2025 - 15:06 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 10:15 nvd

HIGH 7.8

Description

A privilege escalation vulnerability exists in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740). When an archived virtual machine is restored, the prl_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.

Analysis

Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level privileges to gain root-level code execution through a hard link attack during virtual machine archive restoration. The prl_vmarchiver tool operates with root privileges during decompression and file restoration, enabling an attacker to redirect writes to arbitrary system files. This vulnerability has a CVSS score of 7.8 (High) with low attack complexity, making it a practical privilege escalation vector for local users on affected systems.

Technical Context

The vulnerability resides in the virtual machine archive restoration functionality of Parallels Desktop, specifically the prl_vmarchiver utility. The root cause is classified under CWE-62 (Improper Validation of a Pathname for a Restricted Directory), which encompasses insecure handling of symlinks and hard links during file operations. When restoring archived VMs, prl_vmarchiver decompresses content with elevated (root) privileges and writes files to their original locations without proper validation of pathname integrity. An attacker can exploit this by creating hard links that point to sensitive system files (e.g., /etc/sudoers, system binaries, or configuration files). When the restoration process follows the hard link and writes VM content, it effectively modifies arbitrary system files with root privileges. This is a classic time-of-check-time-of-use (TOCTOU) and insecure symlink/hardlink handling pattern. Affected: CPE:2.3:a:parallels:parallels_desktop:20.1.1:*:*:*:*:mac:*:* (version 55740).

Affected Products

- vendor: Parallels; product: Parallels Desktop for Mac; version: 20.1.1; build: 55740; cpe: cpe:2.3:a:parallels:parallels_desktop:20.1.1:*:*:*:*:mac:*:*; platform: macOS; status: Vulnerable

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +39

POC: +20

CVE-2024-36486 vulnerability details – vuln.today

Back

CVE-2024-36486

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2024-36486

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code