Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.
AnalysisAI
Local privilege escalation in VMware Fusion allows authenticated users with non-administrative privileges to gain root access by exploiting a TOCTOU race condition in a SETUID binary. The vulnerability requires local access and low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L), enabling complete system compromise on macOS hosts running affected Fusion versions. EPSS and KEV status data not available; exploitation requires existing local user access but can bypass all privilege boundaries once triggered.
Technical ContextAI
This is a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) affecting a SETUID root binary shipped with VMware Fusion. SETUID binaries run with elevated privileges (typically root) regardless of who executes them, making them high-value targets. TOCTOU vulnerabilities occur when a program checks a condition (like file permissions or existence) and then uses the resource in a separate operation-an attacker can modify the resource between the check and use, causing the privileged binary to operate on attacker-controlled data. In VMware Fusion's case, the vulnerable SETUID binary likely performs file operations or system calls where an attacker can manipulate filesystem objects (symlinks, file replacements) during the time window between validation and execution. The CPE identifier cpe:2.3:a:vmware:fusion:*:*:*:*:*:*:*:* indicates all versions may be affected pending specific version confirmation from the vendor advisory.
RemediationAI
Apply the vendor-released patch by upgrading to the fixed version specified in Broadcom's security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454. Until patching is complete, implement compensating controls: restrict local user access to systems running VMware Fusion by removing unnecessary user accounts and enforcing principle of least privilege; monitor for unexpected SETUID binary executions using macOS Endpoint Security Framework or auditd logs focusing on Fusion installation directories (typically /Applications/VMware Fusion.app); consider temporarily removing execute permissions from the vulnerable SETUID binary if identified in the advisory (note this will likely break Fusion functionality); deploy application allowlisting to prevent unauthorized execution chains that could leverage this escalation. These mitigations reduce attack surface but do not eliminate the vulnerability-patching remains the only complete remediation.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30510
GHSA-gwg2-qh78-562m