Updates have been issued by VMware to resolve critical security vulnerabilities impacting its ESXi, Cloud Foundation, Fusion, and Workstation offerings, according to Security Affairs.
Most severe of the addressed flaws were a pair of use-after-free issues in the XHCI USB and UHCI USB controllers, tracked as CVE-2024-22252 and CVE-2024-22253, respectively, said VMware in its advisory. Both vulnerabilities could be leveraged by threat actors with local admin privileges to facilitate code execution as the virtual machine's VMX process running on the host. However, VMware emphasized differences in the extent of the flaws' potential abuse across its products. "On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed," said VMware. Aside from the critical bugs, VMware also fixed the high-severity ESXi out-of-bounds write flaw, tracked as CVE-2024-22254, and the high-severity UHCI USB controller information disclosure issue, tracked as CVE-2024-22255.