CVE-2024-22252

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.3 CRITICAL
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vmwareCNA
9.3 CRITICAL
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
vmwareworkstation
17.0.0 ≤
𝑥
< 17.5.1
vmwareesxi
7.0
vmwareesxi
7.0:update_1
vmwareesxi
7.0:update_1a
vmwareesxi
7.0:update_1b
vmwareesxi
7.0:update_1c
vmwareesxi
7.0:update_1d
vmwareesxi
7.0:update_1e
vmwareesxi
7.0:update_2
vmwareesxi
7.0:update_2a
vmwareesxi
7.0:update_2c
vmwareesxi
7.0:update_2d
vmwareesxi
7.0:update_2e
vmwareesxi
7.0:update_3
vmwareesxi
7.0:update_3c
vmwareesxi
7.0:update_3d
vmwareesxi
7.0:update_3e
vmwareesxi
7.0:update_3f
vmwareesxi
7.0:update_3g
vmwareesxi
7.0:update_3i
vmwareesxi
7.0:update_3j
vmwareesxi
7.0:update_3k
vmwareesxi
7.0:update_3l
vmwareesxi
7.0:update_3m
vmwareesxi
7.0:update_3n
vmwareesxi
7.0:update_3o
vmwareesxi
7.0.0:b
vmwareesxi
8.0
vmwareesxi
8.0:a
vmwareesxi
8.0:b
vmwareesxi
8.0:c
vmwareesxi
8.0:update_1
vmwareesxi
8.0:update_1a
vmwareesxi
8.0:update_1c
vmwareesxi
8.0:update_2
vmwarefusion
13.0.0 ≤
𝑥
< 13.5.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
https://www.vmware.com/security/advisories/VMSA-2024-0006.html