Skip to main content

VMware Fusion CVE-2026-41702

| EUVDEUVD-2026-30510 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-15 vmware GHSA-gwg2-qh78-562m
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 15, 2026 - 08:01 EUVD
Analysis Generated
May 15, 2026 - 07:30 vuln.today
CVE Published
May 15, 2026 - 06:11 nvd
HIGH 7.8

DescriptionCVE.org

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

AnalysisAI

Local privilege escalation in VMware Fusion allows authenticated users with non-administrative privileges to gain root access by exploiting a TOCTOU race condition in a SETUID binary. The vulnerability requires local access and low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L), enabling complete system compromise on macOS hosts running affected Fusion versions. EPSS and KEV status data not available; exploitation requires existing local user access but can bypass all privilege boundaries once triggered.

Technical ContextAI

This is a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) affecting a SETUID root binary shipped with VMware Fusion. SETUID binaries run with elevated privileges (typically root) regardless of who executes them, making them high-value targets. TOCTOU vulnerabilities occur when a program checks a condition (like file permissions or existence) and then uses the resource in a separate operation-an attacker can modify the resource between the check and use, causing the privileged binary to operate on attacker-controlled data. In VMware Fusion's case, the vulnerable SETUID binary likely performs file operations or system calls where an attacker can manipulate filesystem objects (symlinks, file replacements) during the time window between validation and execution. The CPE identifier cpe:2.3:a:vmware:fusion:*:*:*:*:*:*:*:* indicates all versions may be affected pending specific version confirmation from the vendor advisory.

RemediationAI

Apply the vendor-released patch by upgrading to the fixed version specified in Broadcom's security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454. Until patching is complete, implement compensating controls: restrict local user access to systems running VMware Fusion by removing unnecessary user accounts and enforcing principle of least privilege; monitor for unexpected SETUID binary executions using macOS Endpoint Security Framework or auditd logs focusing on Fusion installation directories (typically /Applications/VMware Fusion.app); consider temporarily removing execute permissions from the vulnerable SETUID binary if identified in the advisory (note this will likely break Fusion functionality); deploy application allowlisting to prevent unauthorized execution chains that could leverage this escalation. These mitigations reduce attack surface but do not eliminate the vulnerability-patching remains the only complete remediation.

Share

CVE-2026-41702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy